Re: [Cfrg] Deoxys-II for AEAD
"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 21 November 2019 21:19 UTC
Return-Path: <prvs=6228f42242=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B9B7120105 for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 13:19:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kv6CwGWX4jU6 for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 13:19:21 -0800 (PST)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAAE1120074 for <cfrg@irtf.org>; Thu, 21 Nov 2019 13:19:20 -0800 (PST)
Received: from LLE2K16-MBX03.mitll.ad.local (LLE2K16-MBX03.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id xALLJIs5046648; Thu, 21 Nov 2019 16:19:18 -0500
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Thomas Peyrin <thomas.peyrin@gmail.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Deoxys-II for AEAD
Thread-Index: AQHVoI7HYUchnWzvIECG6UXueJz6aaeWICaA
Date: Thu, 21 Nov 2019 21:14:17 +0000
Message-ID: <ADBD3EA7-63D0-43C8-B4F8-91692EC6B118@ll.mit.edu>
References: <CAA0wV7R9rUeNtoRko2pTKM_zRWnyQjzyA34+pCq_XJUS6iHC7A@mail.gmail.com>
In-Reply-To: <CAA0wV7R9rUeNtoRko2pTKM_zRWnyQjzyA34+pCq_XJUS6iHC7A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: [172.25.1.84]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3657197657_127830158"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-21_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1911210177
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Ld2Xr4RToiGUNs0np0D4JOI6qfY>
Subject: Re: [Cfrg] Deoxys-II for AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 21:19:24 -0000
I confess to being confused with the CAESAR process. It's web site does not say anything about completion, and lists two candidates (1st and 2nd choices) for each of the three portfolios. Speaking of Deoxys - the site refers to the paper https://competitions.cr.yp.to/round3/deoxysv141.pdf The paper refers to http://www1.spms.ntu.edu.sg/~syllab/Deoxys , which doesn't exist any more. What gives??? On 11/21/19, 12:11 PM, "Cfrg on behalf of Thomas Peyrin" <cfrg-bounces@irtf.org on behalf of thomas.peyrin@gmail.com> wrote: Dear all, Following my presentation at yesterday’s CFRG meeting, we would like to propose Deoxys-II for consideration at IRTF. Deoxys-II is the winner of the CAESAR competition for Authenticated Encryption (portfolio “defense in depth”) that terminated a few months ago after a 5-year process that went through several rounds of selection (https://competitions.cr.yp.to/caesar-submissions.html). Deoxys-II is a nonce-misuse resistant beyond-birthday AEAD (Authenticated Encryption with Associated Data) scheme, with two versions: 128-bit key and 256-bit key. It is based on Deoxys-BC, a new tweakable block cipher that reuses the AES round function, and SCT-2, a nonce-misuse resistant AEAD operating mode. We believe it presents a lot of interesting features from a security and efficiency point of view. - It is a very simple, clean design, and offers a lot of flexibility - It provides full 128-bit security for both privacy and authenticity when the nonce is not reused (meaning the AE security bound is of the form O(q/2^{128}), where q is the total number of encryption or decryption queries). This is very different from block cipher-based modes such as OCB3, GCM, or AES-GCM-SIV. To give a numerical example, when encrypting 2^32 messages of 64 KB each, existing security proofs ensure that the attacker against authenticity has an advantage of at most 2^−37 for OCB3, 2^−41 for GCM, 2^-73 or AES-GCM-SIV, and 2^−94 for Deoxys-II. - Nonce-misuse resistance: Deoxys-II provides very good resistance when the nonce is reused. Actually, if the nonce is reused only a small number of times, it retains most of its full 128-bit security as the security degrades only linearly with the number of nonce repetitions. This is very different from OCB3 and GCM (for which a single nonce reuse breaks confidentiality and allows universal forgeries). Compared to AES-GCM-SIV which is also nonce-misuse resistant, Deoxys-II provides a larger security margin: for example, when encrypting 2^32 messages of 64 KB each with the same nonce, the attacker gets an advantage of about 2^−41 against AES-GCM-SIV versus 2^−51 for Deoxys-II. - Deoxys-II security has been already analyzed by the designers and by many third parties during the CAESAR competition (a few publication venue examples among several others: CRYPTO 2016, ISCAS 2017, INDOCRYPT 2017, FSE 2018, EUROCRYPT 2018, ISC 2018, 2*FSE 2019, …). One can see some of these works listed on the Deoxys website: https://sites.google.com/view/deoxyscipher This provides very strong confidence in the design. - Deoxys-II is fully parallelizable, inverse-free (no need to implement decryption for the internal tweakable block cipher) and initialization-free. It provides very good software performances, benefiting from the AES-NI instructions and general good performances of AES on any platform. Benchmarks for efficiency comparison will be produced soon, but one can expect a speed at about 1.5 AES-GCM-SIV for long messages, and about the same speed as AES-GCM-SIV for short messages. - Constant time implementations for Deoxys-II are straightforward, basically using directly bitslice implementations of AES. - A tweakable block cipher (TBC) such as Deoxys-BC is a very valuable primitive, that can be used to build easily lots of different more complex schemes, with very strong security bounds (for example, several NIST LWC candidates are based on a TBC and defining a hash out of it). To the best of our knowledge, there is no standard TBC as of today. - Deoxys-II is not covered by any patent. More details on our design, reference implementations and test vectors, can be found here: https://sites.google.com/view/deoxyscipher The Deoxys-II team. _______________________________________________ Cfrg mailing list Cfrg@irtf.org https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD denis bider
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Tony Arcieri
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Tony Arcieri
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Tony Arcieri
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Salz, Rich
- Re: [Cfrg] Deoxys-II for AEAD Vasily
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL