Re: [Cfrg] Deoxys-II for AEAD

Thomas Peyrin <> Thu, 21 November 2019 21:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 89D08120178 for <>; Thu, 21 Nov 2019 13:49:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id OhDNgINmKlkl for <>; Thu, 21 Nov 2019 13:49:01 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7D4AA120045 for <>; Thu, 21 Nov 2019 13:49:01 -0800 (PST)
Received: by with SMTP id l202so4690637oig.1 for <>; Thu, 21 Nov 2019 13:49:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=6PP24w9QRLrTHZbmq4w6YHnnuAWTL6we3vzy6YAXQz0=; b=iC3LkX74l3iM91T9Q1dbLI6iNAGd9uVZ50+i8DzGPIfishEwIB8CAnm5EuGpGkCvk9 SbXA6uSX+najtgJsRA8J1SH9tFfc8xzJAZuunmp0APGUvgt3W2/ShJNJQY0r/fS6EAdJ CEgmZRvR6hR8YXKnxrEDTBLmBApklZJ0UA/cDUZ39A68UOFakNnaZv+IEv6+ICAhdK9t if/kj32CpFPRVcNHYTJtyFqfNqXxq/Sz0rnH2niVy0vpmbLdIh7Vp0IrbSASm0cEORPE 8/pQKvToy76fBu2ZN2MLy9Rb9x/4gOROzjqBocB9Yrl+F+2lqsKlvxvfPaGTBKmWZjDp X+/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=6PP24w9QRLrTHZbmq4w6YHnnuAWTL6we3vzy6YAXQz0=; b=Gx/eaGBcNlg/NQ63bgliDAc6zPkNVtFr5DonUhSNLw6tT5txKZi7LYmJHAAIimmVX+ 8ElNYV+lC/iQQce56G9aPQ5vapPxGj0YNjvMMopelgDyWNe3BXl0KOi1FZDNPVn7YL2S ipJVM3/SmmJ8JJ52xdp79qy2CaAj5MTR9FlvcJV+GrOxS5pOiXPmJh+JSP9ZFOAOGTmq /7b8km+KXkUwekdO5eyRiR2a/QvS8kp6+pIxTNjPFl41n7fRdBTedl40A/iPijQPldq5 xXWHJl2WHGtMcwy/t6WpByjE8aBUzIRpyOD8sycVONOoC88U9GOkJpnI81D3s5w9F2ND ernA==
X-Gm-Message-State: APjAAAW2QfqpTQ2Y0wKgrAaVJjy24gWQ5Py7SSqJk2B24LbpKQj6VX+4 Nq5ZkvgRRJNyIFzmzS+h3Eqtpl8FdyK5M6EbjObSuX49lZ4=
X-Google-Smtp-Source: APXvYqwwuqq8qmDqXvf+kGsyGL7F7G71X0J1M424eskRcUsBnMbddyrgUJHVoqWP8lIVuDo06M/L2wjDy6i3hfNaaTI=
X-Received: by 2002:aca:417:: with SMTP id 23mr9829478oie.125.1574372940667; Thu, 21 Nov 2019 13:49:00 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Thomas Peyrin <>
Date: Fri, 22 Nov 2019 05:48:48 +0800
Message-ID: <>
To: "Blumenthal, Uri - 0553 - MITLL" <>
Cc: "" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Cfrg] Deoxys-II for AEAD
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Nov 2019 21:49:03 -0000

Hi Uri,

the final timeline of the competition is given on this page:

Indeed, for each of the three portfolio, two candidates are given:
- "Lightweight applications": ASCON is 1st choice and ACORN is 2nd choice
- "High-performance applications": both AEGIS-128 and OCB are 1st choices
- "Defense in depth": Deoxys-II is 1st choice and COLM is 2nd choice

Sorry the broken link, but we have changed our website for Deoxys, it
is now located at:



Le ven. 22 nov. 2019 à 05:19, Blumenthal, Uri - 0553 - MITLL
<> a écrit :
> I confess to being confused with the CAESAR process. It's web site does not say anything about completion, and lists two candidates (1st and 2nd choices) for each of the three portfolios.
> Speaking of Deoxys - the site refers to the paper
> The paper refers to , which doesn't exist any more.
> What gives???
> On 11/21/19, 12:11 PM, "Cfrg on behalf of Thomas Peyrin" < on behalf of> wrote:
>     Dear all,
>     Following my presentation at yesterday’s CFRG meeting, we would like
>     to propose Deoxys-II for consideration at IRTF. Deoxys-II is the
>     winner of the CAESAR competition for Authenticated Encryption
>     (portfolio “defense in depth”) that terminated a few months ago after
>     a 5-year process that went through several rounds of selection
>     (
>     Deoxys-II is a nonce-misuse resistant beyond-birthday AEAD
>     (Authenticated Encryption with Associated Data) scheme, with two
>     versions: 128-bit key and 256-bit key. It is based on Deoxys-BC, a new
>     tweakable block cipher that reuses the AES round function, and SCT-2,
>     a nonce-misuse resistant AEAD operating mode. We believe it presents a
>     lot of interesting features from a security and efficiency point of
>     view.
>     - It is a very simple, clean design, and offers a lot of flexibility
>     - It provides full 128-bit security for both privacy and authenticity
>     when the nonce is not reused (meaning the AE security bound is of the
>     form O(q/2^{128}), where q is the total number of encryption or
>     decryption queries). This is very different from block cipher-based
>     modes such as OCB3, GCM, or AES-GCM-SIV. To give a numerical example,
>     when encrypting 2^32 messages of 64 KB each, existing security proofs
>     ensure that the attacker against authenticity has an advantage of at
>     most 2^−37 for OCB3, 2^−41 for GCM, 2^-73 or AES-GCM-SIV, and 2^−94
>     for Deoxys-II.
>     - Nonce-misuse resistance: Deoxys-II provides very good resistance
>     when the nonce is reused. Actually, if the nonce is reused only a
>     small number of times, it retains most of its full 128-bit security as
>     the security degrades only linearly with the number of nonce
>     repetitions. This is very different from OCB3 and GCM (for which a
>     single nonce reuse breaks confidentiality and allows universal
>     forgeries). Compared to AES-GCM-SIV which is also nonce-misuse
>     resistant, Deoxys-II provides a larger security margin: for example,
>     when encrypting 2^32 messages of 64 KB each with the same nonce, the
>     attacker gets an advantage of about 2^−41 against AES-GCM-SIV versus
>     2^−51 for Deoxys-II.
>     - Deoxys-II security has been already analyzed by the designers and by
>     many third parties during the CAESAR competition (a few publication
>     venue examples among several others: CRYPTO 2016, ISCAS 2017,
>     INDOCRYPT 2017, FSE 2018, EUROCRYPT 2018, ISC 2018, 2*FSE 2019, …).
>     One can see some of these works listed on the Deoxys website:
>   This provides very strong
>     confidence in the design.
>     - Deoxys-II is fully parallelizable, inverse-free (no need to
>     implement decryption for the internal tweakable block cipher) and
>     initialization-free. It provides very good software performances,
>     benefiting from the AES-NI instructions and general good performances
>     of AES on any platform. Benchmarks for efficiency comparison will be
>     produced soon, but one can expect a speed at about 1.5 AES-GCM-SIV for
>     long messages, and about the same speed as AES-GCM-SIV for short
>     messages.
>     - Constant time implementations for Deoxys-II are straightforward,
>     basically using directly bitslice implementations of AES.
>     - A tweakable block cipher (TBC) such as Deoxys-BC is a very valuable
>     primitive, that can be used to build easily lots of different more
>     complex schemes, with very strong security bounds (for example,
>     several NIST LWC candidates are based on a TBC and defining a hash out
>     of it). To the best of our knowledge, there is no standard TBC as of
>     today.
>     - Deoxys-II is not covered by any patent.
>     More details on our design, reference implementations and test
>     vectors, can be found here:
>     The Deoxys-II team.
>     _______________________________________________
>     Cfrg mailing list