[Cfrg] What are the goals of the AEAD bakeoff?

Watson Ladd <watsonbladd@gmail.com> Sun, 21 June 2020 19:01 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03A663A085C for <cfrg@ietfa.amsl.com>; Sun, 21 Jun 2020 12:01:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5q-cWY8PI5Y5 for <cfrg@ietfa.amsl.com>; Sun, 21 Jun 2020 12:01:06 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23E673A0846 for <cfrg@irtf.org>; Sun, 21 Jun 2020 12:01:05 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id 9so16865085ljv.5 for <cfrg@irtf.org>; Sun, 21 Jun 2020 12:01:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=HiDrKXZSYzZ6GlRZTqURKdAcXCQHAPL1ie46FPzaMVU=; b=izxjAT8je2YcQ1pxNFUH9L37HEd0pdLyFqHdd34CsSkDhFqm3OaDrYe8x7FRrWQR2D OrKET+vJnfjR/LXkKDvbg6ygAMdtihvEnmR3IsrXTFLL3GJmMMSaCFX/t3sXjN1FGqSz P3hEem+lgXQ2lKJ2342wWLvrfVxERE5gEJUHmN9xsPdzdjDF/nXjYNsZiducF6ZqhZfY xfybubAvxTR6S2vvyfzr8vkkTcHAGRii6KqjtiMn4nCtLwKl05GvEnMM1vyxh3lO5Mfw rReESj4yDHClhCdcX6070a7GjtIzAFo7j1NeKxfTZ8N5nW/MeEnrAcv0VJAgUh2I7EjY uw4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=HiDrKXZSYzZ6GlRZTqURKdAcXCQHAPL1ie46FPzaMVU=; b=bwysfd3/RDrrrtModwkP5RGPSEHDaWMcUep+erM4KFjM9A/ecE+K/aKboCvXp/Q06j L998NmzlBFRqN07D2nPoNUIRFMoZwLJUOyrWiO9KADa52Afk0A5tpUZaShxYh4gUxwiA i1pp4uJs1k5T/FBHWX5hwUTN3BxzoOqw/IPzpXKO77Df+UoDZY4G+J7Wkn6fcm/eIAMe cd/5QCtsZorAOnoO46ABcyZTUizGE1xwhCUmgxeN9MAlVM0LxXLd5OD/y2XYehkzgqas CK82U1eYsiXyQIL1BbRdUt3SlHQAmCmE0OtpogMaQrDnw7N/hF+0vlU/RjcYP2i41/O8 KXMQ==
X-Gm-Message-State: AOAM532j4pS5P5rU/lH3y6QhkQ0UPYNvlpKYxsZdDqS29QDGgsode9ra Z2nYnHv6BEPjbAzoCArCcQVcZxFvKh1E7d39hPNfEPQS
X-Google-Smtp-Source: ABdhPJyC2HhnQL5rihqnNZvuXwUwUI+WBTI2AwfKNG9Yy04EHBQ2hHf3bTeAny9+H/T6F4XGYVV4Pkbyy0Nii+9FvWo=
X-Received: by 2002:a2e:3807:: with SMTP id f7mr6739506lja.234.1592766063055; Sun, 21 Jun 2020 12:01:03 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 21 Jun 2020 15:00:52 -0400
Message-ID: <CACsn0c=_fPUdoZ5x40AqZPMBN9rt=4ua9oDK8Di5znrUQQFAtQ@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/E7nEd9V-5jCkTM8KuQEzreFYLxs>
Subject: [Cfrg] What are the goals of the AEAD bakeoff?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jun 2020 19:01:14 -0000

Unlike PAKE, where a multitude of designs all claimed to have achieved
the same security and usability goals, the goals of this competition
seem multifaceted and in tension. On the one side is a desire for
larger encrypted data volumes, either via big blocks or beyond
birthday techniques. Evaluating a big-block construction is likely to
involve substantial symmetric cryptanalysis knowledge.

On the other is a demand for key-committing schemes and nonce hiding
schemes. Both of these are likely to have efficiency costs compared to
potentially one-pass big block (or tweaked) schemes.

I don't think it makes sense to have a competition. I think it makes
sense to articulate the problems and present them to get people
interested in proposing designs/understanding the tradeoffs, and then
maybe have a competition once that is clearer.

Sincerely,
Watson