Re: [Cfrg] Deoxys-II for AEAD
Thomas Peyrin <thomas.peyrin@gmail.com> Thu, 21 November 2019 21:43 UTC
Return-Path: <thomas.peyrin@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 582D5120142 for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 13:43:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eXQoU4VgNoWn for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 13:43:17 -0800 (PST)
Received: from mail-oi1-x22f.google.com (mail-oi1-x22f.google.com [IPv6:2607:f8b0:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78AF4120074 for <cfrg@irtf.org>; Thu, 21 Nov 2019 13:43:17 -0800 (PST)
Received: by mail-oi1-x22f.google.com with SMTP id n14so4586097oie.13 for <cfrg@irtf.org>; Thu, 21 Nov 2019 13:43:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=NNneKPMKOXBRmSVqBKuqD6eKoikl+HxEjqfjio2vXYE=; b=C8GWJ7IbIUuIGGXoLZRElLwVCfNW4ybuT7Ouflh5eYakYNfIy1MQIWrSQvbq5JBd1Z K+uASijfklcRC3wWoQpcgiQOfnVzWqxqOA/CZzFXguXyJzShQMtVvTbTnYvlM7VkeRmw uebHIpnEVfsZfOYeeKrxku+bIYs1aV62Sf2d0ZeXG/odvxEMT0yJs4ApS9cUgHAFQZ4d waD50QY5nj49BImUhham+AcRU/E/OeyN5/XGbO/RcQQIRpWhfZp62yORhub94BG+3aei c1+PcfGQJHMD+ijKxW2mRFpB+/I/6gkGkUbQ4Z2B5KM62YeKS389SKwovU+YYvsUILNU uK/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=NNneKPMKOXBRmSVqBKuqD6eKoikl+HxEjqfjio2vXYE=; b=baauO+lnl3H0c18/esMj9HmfzADOo42mIhP7R68o5fkRp8INMi9RwPbJNbWEN83P6g 1gASkR9cihb3HlUssgJs8bwxH/5QB5ep3SQQNrnWeDr+BXoUJEi0LN7a+FY+xn580R0B NzrpJvTGHKfdckO+AJVQOcPwzbp1lU+QAl98Zs0NiK50FWlhERpzHTAkmqQsv58N26qD 8adxooFhBmbIF702u9GViOQtFqv7R5SsMSD62ymr9UtSTgElrHGDj8sEmxoF+mOmnd25 JZ+IRAZd3+IPle+FML024Y705KiGyG3AjWGOuUSFDWXfbDpQ3A0wKVjsF/tNIqFkwBwn aJOg==
X-Gm-Message-State: APjAAAVKZv04y1eluuFQWYKIc+hpkWSphwme9LHv2QDiAM5rCoqdUC1C yf+KLyIi+F0VMaY/qA2+7UKJNPHH7jdiUMOitvU=
X-Google-Smtp-Source: APXvYqyqtytSeddG/hv00Oc9hDEtemKBt+fGuKmn6zvOxTHT8+pz3sEgYYb5AQV3fRBAqFv18QI2IL1wJfa2yZNVPQU=
X-Received: by 2002:aca:cc10:: with SMTP id c16mr9886603oig.85.1574372596726; Thu, 21 Nov 2019 13:43:16 -0800 (PST)
MIME-Version: 1.0
References: <CAA0wV7R9rUeNtoRko2pTKM_zRWnyQjzyA34+pCq_XJUS6iHC7A@mail.gmail.com> <CADPMZDC9UDpNL+OTxg1XGJ2vkTLP9Axb_XQWrUVb1XdXLUZDgw@mail.gmail.com> <7D43058E-BC9F-4CDF-82C3-F79A05CCF2AD@ll.mit.edu>
In-Reply-To: <7D43058E-BC9F-4CDF-82C3-F79A05CCF2AD@ll.mit.edu>
From: Thomas Peyrin <thomas.peyrin@gmail.com>
Date: Fri, 22 Nov 2019 05:43:05 +0800
Message-ID: <CAA0wV7TsA01Yu5+Opsnw0J_Eh7W_+A3k4J=C_NA8WVgQZ34yyg@mail.gmail.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: Cfrg <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Y8BQ0hSYwD9Ik44aauFK3cLJQMA>
Subject: Re: [Cfrg] Deoxys-II for AEAD
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 21:43:20 -0000
Hi Uri, For long messages, on processors with a PCLMULQDQ instruction, AES-GCM-SIV will be indeed faster than Deoxys-II. Yet, this might not be the case on less fancy software platforms or in hardware. Besides, there is no initialisation needed in Deoxys-II, so for short messages the efficiency should be very similar. In any case, independently of the high-end server efficiency, we believe Deoxys-II provides interesting features listed in my previous email. Also, I would like to emphasize that trust in a symmetric key cipher is something extremely valuable and is provided by the actual cryptanalysis performed on the scheme. As a winner of the CAESAR competition, Deoxys-II went through extensive cryptanalysis from the symmetric-key crypto community. Regards, Thomas. Le ven. 22 nov. 2019 à 04:54, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> a écrit : > > How does Deoxys-II compare to AES-GCM-SIV+ (not AES-GCM-SIV)? E.g., https://tools.ietf.org/html/rfc8452 and https://eprint.iacr.org/2017/168.pdf ? > > > > I don’t see how you can be faster than POLYVAL… > > > > From: Cfrg <cfrg-bounces@irtf.org> on behalf of denis bider <denisbider.ietf@gmail.com> > Date: Thursday, November 21, 2019 at 3:33 PM > To: Thomas Peyrin <thomas.peyrin@gmail.com> > Cc: CFRG <cfrg@irtf.org> > Subject: Re: [Cfrg] Deoxys-II for AEAD > > > > Two comments: > > > > - I'm not a cryptographer, only a user, but the described properties sound awesome! > > > > - Have you considered making the reference implementations available under a license other than GPL? > > > > This is not going to fly very far until (and unless) BSD-licensed, MIT-licensed, fully public domain, or anything other than GPL implementations are available. > > > > denis > > > > On Thu, Nov 21, 2019 at 11:11 AM Thomas Peyrin <thomas.peyrin@gmail.com> wrote: > > Dear all, > > Following my presentation at yesterday’s CFRG meeting, we would like > to propose Deoxys-II for consideration at IRTF. Deoxys-II is the > winner of the CAESAR competition for Authenticated Encryption > (portfolio “defense in depth”) that terminated a few months ago after > a 5-year process that went through several rounds of selection > (https://competitions.cr.yp.to/caesar-submissions.html). > > Deoxys-II is a nonce-misuse resistant beyond-birthday AEAD > (Authenticated Encryption with Associated Data) scheme, with two > versions: 128-bit key and 256-bit key. It is based on Deoxys-BC, a new > tweakable block cipher that reuses the AES round function, and SCT-2, > a nonce-misuse resistant AEAD operating mode. We believe it presents a > lot of interesting features from a security and efficiency point of > view. > > > - It is a very simple, clean design, and offers a lot of flexibility > > - It provides full 128-bit security for both privacy and authenticity > when the nonce is not reused (meaning the AE security bound is of the > form O(q/2^{128}), where q is the total number of encryption or > decryption queries). This is very different from block cipher-based > modes such as OCB3, GCM, or AES-GCM-SIV. To give a numerical example, > when encrypting 2^32 messages of 64 KB each, existing security proofs > ensure that the attacker against authenticity has an advantage of at > most 2^−37 for OCB3, 2^−41 for GCM, 2^-73 or AES-GCM-SIV, and 2^−94 > for Deoxys-II. > > - Nonce-misuse resistance: Deoxys-II provides very good resistance > when the nonce is reused. Actually, if the nonce is reused only a > small number of times, it retains most of its full 128-bit security as > the security degrades only linearly with the number of nonce > repetitions. This is very different from OCB3 and GCM (for which a > single nonce reuse breaks confidentiality and allows universal > forgeries). Compared to AES-GCM-SIV which is also nonce-misuse > resistant, Deoxys-II provides a larger security margin: for example, > when encrypting 2^32 messages of 64 KB each with the same nonce, the > attacker gets an advantage of about 2^−41 against AES-GCM-SIV versus > 2^−51 for Deoxys-II. > > - Deoxys-II security has been already analyzed by the designers and by > many third parties during the CAESAR competition (a few publication > venue examples among several others: CRYPTO 2016, ISCAS 2017, > INDOCRYPT 2017, FSE 2018, EUROCRYPT 2018, ISC 2018, 2*FSE 2019, …). > One can see some of these works listed on the Deoxys website: > https://sites.google.com/view/deoxyscipher This provides very strong > confidence in the design. > > - Deoxys-II is fully parallelizable, inverse-free (no need to > implement decryption for the internal tweakable block cipher) and > initialization-free. It provides very good software performances, > benefiting from the AES-NI instructions and general good performances > of AES on any platform. Benchmarks for efficiency comparison will be > produced soon, but one can expect a speed at about 1.5 AES-GCM-SIV for > long messages, and about the same speed as AES-GCM-SIV for short > messages. > > - Constant time implementations for Deoxys-II are straightforward, > basically using directly bitslice implementations of AES. > > - A tweakable block cipher (TBC) such as Deoxys-BC is a very valuable > primitive, that can be used to build easily lots of different more > complex schemes, with very strong security bounds (for example, > several NIST LWC candidates are based on a TBC and defining a hash out > of it). To the best of our knowledge, there is no standard TBC as of > today. > > - Deoxys-II is not covered by any patent. > > > More details on our design, reference implementations and test > vectors, can be found here: https://sites.google.com/view/deoxyscipher > > > The Deoxys-II team. > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > https://www.irtf.org/mailman/listinfo/cfrg
- [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD denis bider
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Tony Arcieri
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Tony Arcieri
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] Deoxys-II for AEAD Tony Arcieri
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Salz, Rich
- Re: [Cfrg] Deoxys-II for AEAD Vasily
- Re: [Cfrg] Deoxys-II for AEAD Thomas Peyrin
- Re: [Cfrg] Deoxys-II for AEAD Blumenthal, Uri - 0553 - MITLL