Re: [Cfrg] Deoxys-II for AEAD
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 21 November 2019 20:54 UTC
Return-Path: <prvs=6228f42242=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E3BD1200B4 for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 12:54:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.194
X-Spam-Level:
X-Spam-Status: No, score=-4.194 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKyk8Wak3aci for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 12:54:43 -0800 (PST)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5121200FD for <cfrg@irtf.org>; Thu, 21 Nov 2019 12:54:43 -0800 (PST)
Received: from LLE2K16-MBX01.mitll.ad.local (LLE2K16-MBX01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTPS id xALKsfYj012838; Thu, 21 Nov 2019 15:54:41 -0500
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Thomas Peyrin <thomas.peyrin@gmail.com>
CC: Cfrg <cfrg@irtf.org>
Thread-Topic: [Cfrg] Deoxys-II for AEAD
Thread-Index: AQHVoI7HYUchnWzvIECG6UXueJz6aaeWaG6A//+yPIA=
Date: Thu, 21 Nov 2019 20:54:39 +0000
Message-ID: <7D43058E-BC9F-4CDF-82C3-F79A05CCF2AD@ll.mit.edu>
References: <CAA0wV7R9rUeNtoRko2pTKM_zRWnyQjzyA34+pCq_XJUS6iHC7A@mail.gmail.com> <CADPMZDC9UDpNL+OTxg1XGJ2vkTLP9Axb_XQWrUVb1XdXLUZDgw@mail.gmail.com>
In-Reply-To: <CADPMZDC9UDpNL+OTxg1XGJ2vkTLP9Axb_XQWrUVb1XdXLUZDgw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: [172.25.1.85]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3657196479_897082538"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-21_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1911210173
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AdkZEsWLiA-cJkcmrHdQ2T-fqaI>
Subject: Re: [Cfrg] Deoxys-II for AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 20:54:47 -0000
How does Deoxys-II compare to AES-GCM-SIV+ (not AES-GCM-SIV)? E.g., https://tools.ietf.org/html/rfc8452 and https://eprint.iacr.org/2017/168.pdf ? I don’t see how you can be faster than POLYVAL… From: Cfrg <cfrg-bounces@irtf.org> on behalf of denis bider <denisbider.ietf@gmail.com> Date: Thursday, November 21, 2019 at 3:33 PM To: Thomas Peyrin <thomas.peyrin@gmail.com> Cc: CFRG <cfrg@irtf.org> Subject: Re: [Cfrg] Deoxys-II for AEAD Two comments: - I'm not a cryptographer, only a user, but the described properties sound awesome! - Have you considered making the reference implementations available under a license other than GPL? This is not going to fly very far until (and unless) BSD-licensed, MIT-licensed, fully public domain, or anything other than GPL implementations are available. denis On Thu, Nov 21, 2019 at 11:11 AM Thomas Peyrin <thomas.peyrin@gmail.com> wrote: Dear all, Following my presentation at yesterday’s CFRG meeting, we would like to propose Deoxys-II for consideration at IRTF. Deoxys-II is the winner of the CAESAR competition for Authenticated Encryption (portfolio “defense in depth”) that terminated a few months ago after a 5-year process that went through several rounds of selection (https://competitions.cr.yp.to/caesar-submissions.html). Deoxys-II is a nonce-misuse resistant beyond-birthday AEAD (Authenticated Encryption with Associated Data) scheme, with two versions: 128-bit key and 256-bit key. It is based on Deoxys-BC, a new tweakable block cipher that reuses the AES round function, and SCT-2, a nonce-misuse resistant AEAD operating mode. We believe it presents a lot of interesting features from a security and efficiency point of view. - It is a very simple, clean design, and offers a lot of flexibility - It provides full 128-bit security for both privacy and authenticity when the nonce is not reused (meaning the AE security bound is of the form O(q/2^{128}), where q is the total number of encryption or decryption queries). This is very different from block cipher-based modes such as OCB3, GCM, or AES-GCM-SIV. To give a numerical example, when encrypting 2^32 messages of 64 KB each, existing security proofs ensure that the attacker against authenticity has an advantage of at most 2^−37 for OCB3, 2^−41 for GCM, 2^-73 or AES-GCM-SIV, and 2^−94 for Deoxys-II. - Nonce-misuse resistance: Deoxys-II provides very good resistance when the nonce is reused. Actually, if the nonce is reused only a small number of times, it retains most of its full 128-bit security as the security degrades only linearly with the number of nonce repetitions. This is very different from OCB3 and GCM (for which a single nonce reuse breaks confidentiality and allows universal forgeries). Compared to AES-GCM-SIV which is also nonce-misuse resistant, Deoxys-II provides a larger security margin: for example, when encrypting 2^32 messages of 64 KB each with the same nonce, the attacker gets an advantage of about 2^−41 against AES-GCM-SIV versus 2^−51 for Deoxys-II. - Deoxys-II security has been already analyzed by the designers and by many third parties during the CAESAR competition (a few publication venue examples among several others: CRYPTO 2016, ISCAS 2017, INDOCRYPT 2017, FSE 2018, EUROCRYPT 2018, ISC 2018, 2*FSE 2019, …). One can see some of these works listed on the Deoxys website: https://sites.google.com/view/deoxyscipher This provides very strong confidence in the design. - Deoxys-II is fully parallelizable, inverse-free (no need to implement decryption for the internal tweakable block cipher) and initialization-free. It provides very good software performances, benefiting from the AES-NI instructions and general good performances of AES on any platform. Benchmarks for efficiency comparison will be produced soon, but one can expect a speed at about 1.5 AES-GCM-SIV for long messages, and about the same speed as AES-GCM-SIV for short messages. - Constant time implementations for Deoxys-II are straightforward, basically using directly bitslice implementations of AES. - A tweakable block cipher (TBC) such as Deoxys-BC is a very valuable primitive, that can be used to build easily lots of different more complex schemes, with very strong security bounds (for example, several NIST LWC candidates are based on a TBC and defining a hash out of it). To the best of our knowledge, there is no standard TBC as of today. - Deoxys-II is not covered by any patent. More details on our design, reference implementations and test vectors, can be found here: https://sites.google.com/view/deoxyscipher The Deoxys-II team. _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD denis bider
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Tony Arcieri
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Tony Arcieri
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Tony Arcieri
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Salz, Rich
- Re: [Cfrg] Deoxys-II for AEAD Vasily
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL