CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness

Jason Gutierrez
Jason Gutierrez

CAESAR finalists announced

Lightweight
Ciphers that are suitable for hardware-constrained applications (e.g., IoT). Low-cost implementation (in custom hardware or microcontrollers) prioritized over performance.
Finalists: ACORN, Ascon

High performance
Ciphers that are designed to perform fast on modern general purpose computers. Improved replacements for AES-GCM and ChaCha20/Poly1305.
Finalists: AEGIS, MORUS, OCB

Defense in depth:
Prioritizes security over performance. Notably, both of the finalists for this use case are nonce misuse-resistant.
Finalists: COLM, Deoxys-II

competitions.cr.yp.to/caesar-submissions.html
Discuss.

Attached: DXjF1zCX0AArgXw.jpg-large.jpg (258.34 KB, 2048x1536)

Other urls found in this thread:

en.wikipedia.org/wiki/Authenticated_encryption
cryptopp.com/wiki/Authenticated_encryption
keccak.team/sponge_duplex.html
github.com/pvial00

Alexander Baker
Alexander Baker

I don't know what any of these standards are. And are these standards free-as-in-freedom?

Kayden Rivera
Kayden Rivera

CAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) will identify a portfolio of authenticated ciphers that (1) offer advantages over AES-GCM and (2) are suitable for widespread adoption. Cryptographic algorithm designers are invited to submit proposals of authenticated ciphers to CAESAR. All proposals will be made public for evaluation.
CAESAR is run by the international cryptologic research community. The University of Illinois at Chicago applied to NIST for funding for a "Cryptographic competitions" grant, and is using some of this funding to support CAESAR benchmarking and the Directions in Authenticated Ciphers workshop series.

Luke Scott
Luke Scott

Thanks for sharing, OP

Levi Kelly
Levi Kelly

no keyak for use case 3
This makes me sad. What the fuck is COLM and Deoxys-II???? How can they be better than Keccak????
Daniel J. Bernstein
Oh I see now.

Joseph Powell
Joseph Powell

Hongjun Wu has 4 different submissions and 3 in the final
they will sell his families organs to the jews if he doesn't win

Charles Flores
Charles Flores

Will there be a single CAESAR winner?
The CAESAR selection committee will select a portfolio of algorithms. Experience with previous competitions suggests that a single-algorithm portfolio is unlikely to provide as much value as a multiple-algorithm portfolio. Of course, final decisions are up to the selection committee.

Andrew Baker
Andrew Baker

Can we please ban multiple question marks in a row niggers?

Justin Cooper
Justin Cooper

haha guys i'm one of you XDDDD
fucking niggers right??? XDDD
XDDDDDDDDDDDDD
ebin, dude

Camden Moore
Camden Moore

Isn't AES and ChaCha20 theoretically unbreakable? Well, I mean there indeed was an attack that on AES that was more efficient than simply bruteforcing it but I mean was it so bad that it warrants the replacement of the encryption algorithm? What about my GPG encrypted backups online, are they bust?

Aiden Foster
Aiden Foster

Yea afaik the main symmetric key crypto systems are both in practice and theoretically sound vs the things like RSA and ECC which have big theoretical holes.

Isaiah Torres
Isaiah Torres

AES is difficult to implement securely. Not every CPU has AES-NI.
ChaCha20 is only a stream cipher. If you want authenticated encryption you have to couple it with a MAC algorithm.
The reason for this competition isn't that AES/ChaCha20 are insecure (they are very secure if used correctly). The reason for this compettion is to find algorithms that perform authenticated encryption in one pass while being easier to implement than AES-GCM.

Austin Williams
Austin Williams

What does authenticated mean here? So they are just looking for algorithms that allow prevention of information leaks through side channel attacks like spectre?

Levi Gutierrez
Levi Gutierrez

Things like a sha256 for a MAC

en.wikipedia.org/wiki/Authenticated_encryption

Thomas Flores
Thomas Flores

cryptopp.com/wiki/Authenticated_encryption

Hunter Evans
Hunter Evans

At a high level, COLM can be seen as a block cipher based Encrypt-Linear mix-Encrypt mode, designed with the goal to achieve online misuse resistance, to be fully parallelizable, and to be secure against blockwise adaptive adversaries.
COLM uses AES-128 with a key and state of size 128 bits.
In this note, we propose Deoxys, a new authenticated encryption design based on a tweakable block cipher Deoxys-BC using the well-studied AES round function as a building block.
Fucking AES trash won for defense in depth. What a fucking joke.
I suggest that you read the attached PDF and this: keccak.team/sponge_duplex.html

Brayden Martin
Brayden Martin

Bernstein is the number one cryptographer of all time. His word is practically gospel to cryptographers, and for good reason, he's a mega-brain. Fuck off with your /pol/ shit

Ian Young
Ian Young

muh eceleb
Great appeal to authority, m8.
/pol/
Please quote what part of my message is /pol/???
Bernstein is still assmad because Cubehash was rejected so now he has it in for Keccak. That is also why he made Gimli. Pathetic dwarf.

John Mitchell
John Mitchell

number one cryptographer of all time
Also LMAO at this. He is good but hardly the best.

Matthew Johnson
Matthew Johnson

I'm not appealing to authority, but stating that he *is* the authority. I'm appealing to the fact he's an authority *for a reason*.

/pol/
The way you contributed nothing useful but pointed out his name (which coincidentally ends in -stein) gave that impression.

Christopher Evans
Christopher Evans

I am not agreeing or disagreeing with you but you cannot attempt to refute one man's statement of who the best is without providing your own alternative. Someone must be the best, for the other one to not be the best.

Who is the best?

Hunter Bell
Hunter Bell

Triggered Bernstein fanboy spotted.
contributed nothing useful
(You)

Julian Peterson
Julian Peterson

I am not agreeing or disagreeing with you but you cannot attempt to refute one man's statement of who the best is without providing your own alternative.
I can and I did.
But here is my alternative: github.com/pvial00
I have no argument as to why he is the best but neither does have one.

Aiden Miller
Aiden Miller

You're asking for knowledge on the best cryptographers? Don't you mean the best alive?

I seem to recall a time when the best cryptographers were murdered by the alphabets.

Don't insult their memories assholes.

Julian Roberts
Julian Roberts

y no skein/threefish?