Re: [Cfrg] Do we need a selection contest for AEAD?

Thomas Peyrin <> Wed, 24 June 2020 17:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 752403A10A7 for <>; Wed, 24 Jun 2020 10:53:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5cbJ4LSPoCB0 for <>; Wed, 24 Jun 2020 10:53:19 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 455F63A1054 for <>; Wed, 24 Jun 2020 10:53:19 -0700 (PDT)
Received: by with SMTP id k1so1346061pls.2 for <>; Wed, 24 Jun 2020 10:53:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8GIBX39AwQEk6/gIMFlvzPw3ZmRr0O+Cz1m2TmPeoqY=; b=A5US9gQYoAuVnfyMtWDXxZ3+mk5Rgrj94w18YPGrn1ttDCZ/MmnuW9x8ZRbdK1KkIK pO1ADDiZMyom5soQSx+2KAjIk8QwT9nsrgcGFzMuvxnHLUlJK3i0LBhJLvmjWeoqJ0Xy uQO8puRYefWYW+XilFk/QVnXkoZo2x3LyHD37HvuFu1VlySvhJFKag4SWJ7nudbwJ+6G BmOPAC90VReI8HtLaWzhQL+flQwV/B8xPQS8NN5GKTflamVlJmxU2efFiOHvSG9RY7AN HjpKngjxMtQrRoy5Ag/dftnWXWQl6kVo5At1UwsqolIL9X3zIo5j91FDotfAu1BRnF6Z dp3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8GIBX39AwQEk6/gIMFlvzPw3ZmRr0O+Cz1m2TmPeoqY=; b=GswOjpGOJLRQ0lV1R/D4F/k+LZF8QOacUltKdTNHG0Hwi+Fl9Nm97WE+BUPw63dT4A dWR9RvvKb+3T00EgMEMxapZUu6D/NsUcRFd3SmbfqLQp9TQ8CBHifwIsqP6LvcNtvaTr 72GVCCAjSyP/C9YeFOoVPsvRxoqg1Z+AeoTLVNzVlRN3icCJiGf8CDC9auzM5aOkKvF4 5aDmG9fFOnvX/0iA+RFAH0ChgN5JOW2JCRniUY53QgIFWxHr01H2YfCMLPx+Za+HLaHB XlnW/E6vwJ08eMqxCB/wKQRUJvf3Ysj9YCK2DsV1O3h/LHjeM36PlcZXwDanSXRBUNsI g1Ng==
X-Gm-Message-State: AOAM533vcJeEMjbUObpFgX3ZFBGCX2WrOxVUrL0+hcb4EVwuN2m/cjzO 7Mm3p0rqGoffkQr9ZgNDwbYT94gEsL24zsnNotY=
X-Google-Smtp-Source: ABdhPJwO8x6UiPPj48PTvrptDG/9stn3qu00Pky2qC2kVMYagPGIFP0g5hxn9R/rg3BJExos5fnyap1fpbEYZ6/iAxw=
X-Received: by 2002:a17:90a:f40e:: with SMTP id ch14mr31498166pjb.197.1593021198477; Wed, 24 Jun 2020 10:53:18 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Thomas Peyrin <>
Date: Thu, 25 Jun 2020 01:53:06 +0800
Message-ID: <>
To: "Blumenthal, Uri - 0553 - MITLL" <>
Cc: Yevgeniy Dodis <>, Paul Grubbs <>, CFRG <>
Content-Type: multipart/alternative; boundary="000000000000a7ad7305a8d826b5"
Archived-At: <>
Subject: Re: [Cfrg] Do we need a selection contest for AEAD?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 24 Jun 2020 17:53:21 -0000

As a co-designer of Deoxys, my view is obviously biased here. I think a
competition will only be successful if we have people submitting schemes
(that's very easy) and much more importantly people analyzing them (that's
very hard). Are we sure that we currently have the manpower and enough
incentives to bring researchers around the world to work on that ?

I speak as a researcher that worked on designing schemes and trying to
break others during competitions. Cryptanalysis is a very very unrewarding
task: if you work a lot and eventually manage to break a crypto competition
design (lucky situation), you will actually get a paper and it will never
be cited (the design is dead). Most of the time, you spend weeks/months
trying to break a design and nothing comes out, and sometimes it really
feels like you wasted your time. My point is that cryptanalysis work is the
most valuable asset here, and I don't think we should ditch all the
cryptanalysis work that was provided during the CAESAR competition. First,
because it would be a waste, and secondly because it would send quite a
negative message to all people actually doing the cryptanalysis work. Why
would I spend time on breaking designs if in the end the competition
results are kind of ignored?

As a side point, CAESAR was organized generally by the symmetric-key crypto
community and was already focusing on just 3 use-cases. Even with that, I
would say in general it didn't get the traction that everyone hoped for. I
fear that with a competition with many targets, this will get even worse.
Perhaps a way to go would be to check what use-cases are already handled by
existing designs (I think most of them already have a satisfactory scheme)
and do specialized competitions for more recent and more exotic security
notions ? This would focus the manpower where it is actually needed.



Le jeu. 25 juin 2020 à 01:14, Blumenthal, Uri - 0553 - MITLL <>
a écrit :

> I don't support that idea, because different use cases require different
> "optimizations". My use case doesn't care for nonce hiding, but cares very
> much for performance, and for the ability to have defined security bounds
> for truncated synthetic IV.
> There is no "one size fits all", or "one champion fits all". Even CAESAR
> results may not be granular enough (several categories, with a winner in
> each one).
> Or are you planning to have a *separate* competition for *each* of those
> listed below:
>     they have a clear guide what to choose from. Whether this is
>     committing, remotely-keyed, ZK-friendly, lightweight,
>     side-channel-resistant, nonce-misuse resistant, nonce-hiding,
>     beyond-birthday, etc.
> On 6/24/20, 13:09, "Cfrg on behalf of Yevgeniy Dodis" <
> on behalf of> wrote:
>     I support Paul's idea. I feel AEAD landscape is getting a bit out of
>     hand, even despite the CEASAR competition.
>     Would be good to bring back more structure and understanding, so when
>     people in the industry need an AEAD scheme,
>     they have a clear guide what to choose from. Whether this is
>     committing, remotely-keyed, ZK-friendly, lightweight,
>     side-channel-resistant, nonce-misuse resistant, nonce-hiding,
>     beyond-birthday, etc.
>     On Wed, Jun 24, 2020 at 12:34 PM Paul Grubbs <>
> wrote:
>     >
>     > I think an AEAD competition is a great idea. Recently I've been
> studying the AEAD landscape, and there seem to be a lot of gaps between the
> needs of applications/protocols and the properties widely-used schemes
> provide. To address this and get a sense of which needs are most pressing,
> it might be good to have the first round be more of a "meta-competition"
> for discussing and prioritizing requirements and use cases. The result of
> this would be an (ideally small) list of well-defined design targets, for
> which people can propose schemes in subsequent rounds.
>     >
>     > I'd also like to suggest another use case for AEAD: ZK-friendly AEAD
> modes. These modes would be compatible with efficient ZK proof systems and
> would make it easy to prove properties of plaintexts in zero knowledge.
>     >
>     > On Fri, Jun 19, 2020 at 1:32 PM Stanislav V. Smyshlyaev <
>> wrote:
>     >>
>     >> Dear CFRG,
>     >>
>     >> The chairs would like to ask for opinions whether it seems
> reasonable to initiate an AEAD mode selection contest in CFRG, to review
> modern AEAD modes and recommend a mode (or several modes) for the IETF.
>     >>
>     >> We’ve recently had a CAESAR contest, and, of course, its results
> have to be taken into account very seriously. In addition to the properties
> that were primarily addressed during the CAESAR contest (like protection
> against side-channel attacks, authenticity/limited privacy damage in case
> of nonce misuse or release of unverified plaintexts, robustness in such
> scenarios as huge amounts of data), the following properties may be
> especially important for the usage of AEAD mechanisms in IETF protocols:
>     >> 1) Leakage resistance.
>     >> 2) Incremental AEAD.
>     >> 3) Commitment AEAD (we've had a discussion in the list a while ago).
>     >> 4) RUP-security (it was discussed in the CAESAR contest, but the
> finalists may have some issues with it, as far as I understand).
>     >> 5) Ability to safely encrypt a larger maximum number of bytes per
> key (discussed in QUIC WG)..
>     >>
>     >> Does this look reasonable?
>     >> Any thoughts about the possible aims of the contest?
>     >> Any other requirements for the mode?
>     >>
>     >> Regards,
>     >> Stanislav, Alexey, Nick
>     >> _______________________________________________
>     >> Cfrg mailing list
>     >>
>     >>
>     >
>     > _______________________________________________
>     > Cfrg mailing list
>     >
>     >
>     _______________________________________________
>     Cfrg mailing list
> _______________________________________________
> Cfrg mailing list