Re: [Cfrg] Deoxys-II for AEAD

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 21 November 2019 20:54 UTC

Return-Path: <prvs=6228f42242=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E3BD1200B4 for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 12:54:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.194
X-Spam-Level:
X-Spam-Status: No, score=-4.194 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wKyk8Wak3aci for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 12:54:43 -0800 (PST)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5121200FD for <cfrg@irtf.org>; Thu, 21 Nov 2019 12:54:43 -0800 (PST)
Received: from LLE2K16-MBX01.mitll.ad.local (LLE2K16-MBX01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTPS id xALKsfYj012838; Thu, 21 Nov 2019 15:54:41 -0500
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Thomas Peyrin <thomas.peyrin@gmail.com>
CC: Cfrg <cfrg@irtf.org>
Thread-Topic: [Cfrg] Deoxys-II for AEAD
Thread-Index: AQHVoI7HYUchnWzvIECG6UXueJz6aaeWaG6A//+yPIA=
Date: Thu, 21 Nov 2019 20:54:39 +0000
Message-ID: <7D43058E-BC9F-4CDF-82C3-F79A05CCF2AD@ll.mit.edu>
References: <CAA0wV7R9rUeNtoRko2pTKM_zRWnyQjzyA34+pCq_XJUS6iHC7A@mail.gmail.com> <CADPMZDC9UDpNL+OTxg1XGJ2vkTLP9Axb_XQWrUVb1XdXLUZDgw@mail.gmail.com>
In-Reply-To: <CADPMZDC9UDpNL+OTxg1XGJ2vkTLP9Axb_XQWrUVb1XdXLUZDgw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: [172.25.1.85]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3657196479_897082538"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-21_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1911210173
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/AdkZEsWLiA-cJkcmrHdQ2T-fqaI>
Subject: Re: [Cfrg] Deoxys-II for AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 20:54:47 -0000

How does Deoxys-II compare to AES-GCM-SIV+ (not AES-GCM-SIV)? E.g., https://tools.ietf.org/html/rfc8452 and https://eprint.iacr.org/2017/168.pdf ?

 

I don’t see how you can be faster than POLYVAL…

 

From: Cfrg <cfrg-bounces@irtf.org> on behalf of denis bider <denisbider.ietf@gmail.com>
Date: Thursday, November 21, 2019 at 3:33 PM
To: Thomas Peyrin <thomas.peyrin@gmail.com>
Cc: CFRG <cfrg@irtf.org>
Subject: Re: [Cfrg] Deoxys-II for AEAD

 

Two comments:

 

- I'm not a cryptographer, only a user, but the described properties sound awesome!

 

- Have you considered making the reference implementations available under a license other than GPL?

 

This is not going to fly very far until (and unless) BSD-licensed, MIT-licensed, fully public domain, or anything other than GPL implementations are available.

 

denis

 

On Thu, Nov 21, 2019 at 11:11 AM Thomas Peyrin <thomas.peyrin@gmail.com> wrote:

Dear all,

Following my presentation at yesterday’s CFRG meeting, we would like
to propose Deoxys-II for consideration at IRTF. Deoxys-II is the
winner of the CAESAR competition for Authenticated Encryption
(portfolio “defense in depth”) that terminated a few months ago after
a 5-year process that went through several rounds of selection
(https://competitions.cr.yp.to/caesar-submissions.html).

Deoxys-II is a nonce-misuse resistant beyond-birthday AEAD
(Authenticated Encryption with Associated Data) scheme, with two
versions: 128-bit key and 256-bit key. It is based on Deoxys-BC, a new
tweakable block cipher that reuses the AES round function, and SCT-2,
a nonce-misuse resistant AEAD operating mode. We believe it presents a
lot of interesting features from a security and efficiency point of
view.


- It is a very simple, clean design, and offers a lot of flexibility

- It provides full 128-bit security for both privacy and authenticity
when the nonce is not reused (meaning the AE security bound is of the
form O(q/2^{128}), where q is the total number of encryption or
decryption queries). This is very different from block cipher-based
modes such as OCB3, GCM, or AES-GCM-SIV. To give a numerical example,
when encrypting 2^32 messages of 64 KB each, existing security proofs
ensure that the attacker against authenticity has an advantage of at
most 2^−37 for OCB3, 2^−41 for GCM, 2^-73 or AES-GCM-SIV, and 2^−94
for Deoxys-II.

- Nonce-misuse resistance: Deoxys-II provides very good resistance
when the nonce is reused. Actually, if the nonce is reused only a
small number of times, it retains most of its full 128-bit security as
the security degrades only linearly with the number of nonce
repetitions. This is very different from OCB3 and GCM (for which a
single nonce reuse breaks confidentiality and allows universal
forgeries). Compared to AES-GCM-SIV which is also nonce-misuse
resistant, Deoxys-II provides a larger security margin: for example,
when encrypting 2^32 messages of 64 KB each with the same nonce, the
attacker gets an advantage of about 2^−41 against AES-GCM-SIV versus
2^−51 for Deoxys-II.

- Deoxys-II security has been already analyzed by the designers and by
many third parties during the CAESAR competition (a few publication
venue examples among several others: CRYPTO 2016, ISCAS 2017,
INDOCRYPT 2017, FSE 2018, EUROCRYPT 2018, ISC 2018, 2*FSE 2019, …).
One can see some of these works listed on the Deoxys website:
https://sites.google.com/view/deoxyscipher   This provides very strong
confidence in the design.

- Deoxys-II is fully parallelizable, inverse-free (no need to
implement decryption for the internal tweakable block cipher) and
initialization-free. It provides very good software performances,
benefiting from the AES-NI instructions and general good performances
of AES on any platform. Benchmarks for efficiency comparison will be
produced soon, but one can expect a speed at about 1.5 AES-GCM-SIV for
long messages, and about the same speed as AES-GCM-SIV for short
messages.

- Constant time implementations for Deoxys-II are straightforward,
basically using directly bitslice implementations of AES.

- A tweakable block cipher (TBC) such as Deoxys-BC is a very valuable
primitive, that can be used to build easily lots of different more
complex schemes, with very strong security bounds (for example,
several NIST LWC candidates are based on a TBC and defining a hash out
of it). To the best of our knowledge, there is no standard TBC as of
today.

- Deoxys-II is not covered by any patent.


More details on our design, reference implementations and test
vectors, can be found here: https://sites.google.com/view/deoxyscipher


The Deoxys-II team.

_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
https://www.irtf.org/mailman/listinfo/cfrg