Re: [Cfrg] Deoxys-II for AEAD

"Blumenthal, Uri - 0553 - MITLL" <> Thu, 21 November 2019 21:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7B9B7120105 for <>; Thu, 21 Nov 2019 13:19:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kv6CwGWX4jU6 for <>; Thu, 21 Nov 2019 13:19:21 -0800 (PST)
Received: from (LLMX3.LL.MIT.EDU []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CAAE1120074 for <>; Thu, 21 Nov 2019 13:19:20 -0800 (PST)
Received: from ( by (unknown) with ESMTPS id xALLJIs5046648; Thu, 21 Nov 2019 16:19:18 -0500
From: "Blumenthal, Uri - 0553 - MITLL" <>
To: Thomas Peyrin <>, "" <>
Thread-Topic: [Cfrg] Deoxys-II for AEAD
Thread-Index: AQHVoI7HYUchnWzvIECG6UXueJz6aaeWICaA
Date: Thu, 21 Nov 2019 21:14:17 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/10.1f.0.191110
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha256; boundary="B_3657197657_127830158"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-11-21_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1911210177
Archived-At: <>
Subject: Re: [Cfrg] Deoxys-II for AEAD
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Nov 2019 21:19:24 -0000

I confess to being confused with the CAESAR process. It's web site does not say anything about completion, and lists two candidates (1st and 2nd choices) for each of the three portfolios.

Speaking of Deoxys - the site refers to the paper 
The paper refers to , which doesn't exist any more. 

What gives???

On 11/21/19, 12:11 PM, "Cfrg on behalf of Thomas Peyrin" < on behalf of> wrote:

    Dear all,
    Following my presentation at yesterday’s CFRG meeting, we would like
    to propose Deoxys-II for consideration at IRTF. Deoxys-II is the
    winner of the CAESAR competition for Authenticated Encryption
    (portfolio “defense in depth”) that terminated a few months ago after
    a 5-year process that went through several rounds of selection
    Deoxys-II is a nonce-misuse resistant beyond-birthday AEAD
    (Authenticated Encryption with Associated Data) scheme, with two
    versions: 128-bit key and 256-bit key. It is based on Deoxys-BC, a new
    tweakable block cipher that reuses the AES round function, and SCT-2,
    a nonce-misuse resistant AEAD operating mode. We believe it presents a
    lot of interesting features from a security and efficiency point of
    - It is a very simple, clean design, and offers a lot of flexibility
    - It provides full 128-bit security for both privacy and authenticity
    when the nonce is not reused (meaning the AE security bound is of the
    form O(q/2^{128}), where q is the total number of encryption or
    decryption queries). This is very different from block cipher-based
    modes such as OCB3, GCM, or AES-GCM-SIV. To give a numerical example,
    when encrypting 2^32 messages of 64 KB each, existing security proofs
    ensure that the attacker against authenticity has an advantage of at
    most 2^−37 for OCB3, 2^−41 for GCM, 2^-73 or AES-GCM-SIV, and 2^−94
    for Deoxys-II.
    - Nonce-misuse resistance: Deoxys-II provides very good resistance
    when the nonce is reused. Actually, if the nonce is reused only a
    small number of times, it retains most of its full 128-bit security as
    the security degrades only linearly with the number of nonce
    repetitions. This is very different from OCB3 and GCM (for which a
    single nonce reuse breaks confidentiality and allows universal
    forgeries). Compared to AES-GCM-SIV which is also nonce-misuse
    resistant, Deoxys-II provides a larger security margin: for example,
    when encrypting 2^32 messages of 64 KB each with the same nonce, the
    attacker gets an advantage of about 2^−41 against AES-GCM-SIV versus
    2^−51 for Deoxys-II.
    - Deoxys-II security has been already analyzed by the designers and by
    many third parties during the CAESAR competition (a few publication
    venue examples among several others: CRYPTO 2016, ISCAS 2017,
    INDOCRYPT 2017, FSE 2018, EUROCRYPT 2018, ISC 2018, 2*FSE 2019, …).
    One can see some of these works listed on the Deoxys website:   This provides very strong
    confidence in the design.
    - Deoxys-II is fully parallelizable, inverse-free (no need to
    implement decryption for the internal tweakable block cipher) and
    initialization-free. It provides very good software performances,
    benefiting from the AES-NI instructions and general good performances
    of AES on any platform. Benchmarks for efficiency comparison will be
    produced soon, but one can expect a speed at about 1.5 AES-GCM-SIV for
    long messages, and about the same speed as AES-GCM-SIV for short
    - Constant time implementations for Deoxys-II are straightforward,
    basically using directly bitslice implementations of AES.
    - A tweakable block cipher (TBC) such as Deoxys-BC is a very valuable
    primitive, that can be used to build easily lots of different more
    complex schemes, with very strong security bounds (for example,
    several NIST LWC candidates are based on a TBC and defining a hash out
    of it). To the best of our knowledge, there is no standard TBC as of
    - Deoxys-II is not covered by any patent.
    More details on our design, reference implementations and test
    vectors, can be found here:
    The Deoxys-II team.
    Cfrg mailing list