Re: [Cfrg] Deoxys-II for AEAD

Thomas Peyrin <> Thu, 21 November 2019 21:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AF6AE1200D7 for <>; Thu, 21 Nov 2019 13:31:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ahrG87tpoHGG for <>; Thu, 21 Nov 2019 13:31:46 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7CBD5120074 for <>; Thu, 21 Nov 2019 13:31:46 -0800 (PST)
Received: by with SMTP id b16so4323496otk.9 for <>; Thu, 21 Nov 2019 13:31:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=CsU9FH/HjCk9McrHvdPLn3n3e7/c+0o+zaSC4PnKdyY=; b=LgdvPW76QY3P8VPZ/xOGwTBspPFzzemdrYfiBwX0u1wsTGzCnqZGcuO2c2F3+VK+ly z1CT4j24ZerFSwxctQ805aaBdGQuIsShYKwS87g5xwYOykWhvnogQZAvS/917BBVpd0B Tt5LUv8TjsHtMCvvnfsKF2/Fdiza2XCYzAzu0nrk6/Z3ORkCoc9q66DQRfkRoOkWEzga Uy7nYfisCefroOYMQAQMbfm10m5t2ZPjbM/yYaMY5us9EvK5vjeqlIlNyhDLhIT31MXP 2SMFAbg29nsjYlcZZIy9wgGBFy4niAA11mWWrTH9Z81teL5MQXMVheMDiOUUJyJhO0qq nzbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=CsU9FH/HjCk9McrHvdPLn3n3e7/c+0o+zaSC4PnKdyY=; b=V6c1vlRJ4o3nbP2pBb0wPQRW30Mrptc2m30Rbzxyv1UqLi+AUA4fo4Zthd/zAoffmx y4q/QmuR23q7b4U2Oq3Lqs0MaozIH+H27ScLUm/CY3cEYCdQbmhyA764UJICEPlCUu/B aXoXh+v71Z+2DrQqgt5RrLuKPo/E1LqOlG2imj50/5MYdKWGnnsIVcbzVBZGO+Yz3DeT MRU9MHLn6HGgEbQyvlWu9fyEDeOyEFCflRd12/hdAyYoMDLsFt186fpeWH0eYqFENGI9 1bcaRYdGS6Fxtem2vFpS0ZmuL9mLUP6n2SvwrAbA/jtSyWBkY2wKKoQOKeJMa18wP7cn xuqA==
X-Gm-Message-State: APjAAAWa0b/Y6gs7H43bjuK5vo20BvUbVUc61bUNIVBVPktyng4XoKxd yp/+pBqBaDIHEq6JotFpP3SZgFIiitPKTNzBn78=
X-Google-Smtp-Source: APXvYqw4OU8Nbqx/Rhylhpji7hEgLgqktxt2TuXkMNsUXLXgbejzx4GzFYADxy4fhGX+ckFOW0uU+grrRJ4IUrMp3gE=
X-Received: by 2002:a9d:6a81:: with SMTP id l1mr8465155otq.369.1574371905630; Thu, 21 Nov 2019 13:31:45 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Thomas Peyrin <>
Date: Fri, 22 Nov 2019 05:31:33 +0800
Message-ID: <>
To: denis bider <>
Cc: Cfrg <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [Cfrg] Deoxys-II for AEAD
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Nov 2019 21:31:49 -0000

Hi Denis,

Sure, I think MIT license would make sense. We will add optimized
implementations soon, we will take this occasion to change licenses of
all implementations that we provide on the website.



Le ven. 22 nov. 2019 à 04:33, denis bider <> a écrit :
> Two comments:
> - I'm not a cryptographer, only a user, but the described properties sound awesome!
> - Have you considered making the reference implementations available under a license other than GPL?
> This is not going to fly very far until (and unless) BSD-licensed, MIT-licensed, fully public domain, or anything other than GPL implementations are available.
> denis
> On Thu, Nov 21, 2019 at 11:11 AM Thomas Peyrin <> wrote:
>> Dear all,
>> Following my presentation at yesterday’s CFRG meeting, we would like
>> to propose Deoxys-II for consideration at IRTF. Deoxys-II is the
>> winner of the CAESAR competition for Authenticated Encryption
>> (portfolio “defense in depth”) that terminated a few months ago after
>> a 5-year process that went through several rounds of selection
>> (
>> Deoxys-II is a nonce-misuse resistant beyond-birthday AEAD
>> (Authenticated Encryption with Associated Data) scheme, with two
>> versions: 128-bit key and 256-bit key. It is based on Deoxys-BC, a new
>> tweakable block cipher that reuses the AES round function, and SCT-2,
>> a nonce-misuse resistant AEAD operating mode. We believe it presents a
>> lot of interesting features from a security and efficiency point of
>> view.
>> - It is a very simple, clean design, and offers a lot of flexibility
>> - It provides full 128-bit security for both privacy and authenticity
>> when the nonce is not reused (meaning the AE security bound is of the
>> form O(q/2^{128}), where q is the total number of encryption or
>> decryption queries). This is very different from block cipher-based
>> modes such as OCB3, GCM, or AES-GCM-SIV. To give a numerical example,
>> when encrypting 2^32 messages of 64 KB each, existing security proofs
>> ensure that the attacker against authenticity has an advantage of at
>> most 2^−37 for OCB3, 2^−41 for GCM, 2^-73 or AES-GCM-SIV, and 2^−94
>> for Deoxys-II.
>> - Nonce-misuse resistance: Deoxys-II provides very good resistance
>> when the nonce is reused. Actually, if the nonce is reused only a
>> small number of times, it retains most of its full 128-bit security as
>> the security degrades only linearly with the number of nonce
>> repetitions. This is very different from OCB3 and GCM (for which a
>> single nonce reuse breaks confidentiality and allows universal
>> forgeries). Compared to AES-GCM-SIV which is also nonce-misuse
>> resistant, Deoxys-II provides a larger security margin: for example,
>> when encrypting 2^32 messages of 64 KB each with the same nonce, the
>> attacker gets an advantage of about 2^−41 against AES-GCM-SIV versus
>> 2^−51 for Deoxys-II.
>> - Deoxys-II security has been already analyzed by the designers and by
>> many third parties during the CAESAR competition (a few publication
>> venue examples among several others: CRYPTO 2016, ISCAS 2017,
>> INDOCRYPT 2017, FSE 2018, EUROCRYPT 2018, ISC 2018, 2*FSE 2019, …).
>> One can see some of these works listed on the Deoxys website:
>>   This provides very strong
>> confidence in the design.
>> - Deoxys-II is fully parallelizable, inverse-free (no need to
>> implement decryption for the internal tweakable block cipher) and
>> initialization-free. It provides very good software performances,
>> benefiting from the AES-NI instructions and general good performances
>> of AES on any platform. Benchmarks for efficiency comparison will be
>> produced soon, but one can expect a speed at about 1.5 AES-GCM-SIV for
>> long messages, and about the same speed as AES-GCM-SIV for short
>> messages.
>> - Constant time implementations for Deoxys-II are straightforward,
>> basically using directly bitslice implementations of AES.
>> - A tweakable block cipher (TBC) such as Deoxys-BC is a very valuable
>> primitive, that can be used to build easily lots of different more
>> complex schemes, with very strong security bounds (for example,
>> several NIST LWC candidates are based on a TBC and defining a hash out
>> of it). To the best of our knowledge, there is no standard TBC as of
>> today.
>> - Deoxys-II is not covered by any patent.
>> More details on our design, reference implementations and test
>> vectors, can be found here:
>> The Deoxys-II team.
>> _______________________________________________
>> Cfrg mailing list