====== Authenticated Encryption Zoo Guidelines ====== This wiki site specifies the guidelines for the AE Zoo. While everyone in the cryptographic community are encourated to participate and contribute to the Zoo, we, as zookeepers, ask that contributers adhere to the guidelines posted on this page. ===== Guidelines: Overview Table ===== The guidelines in this section refer to the AE scheme overview table found on the [[ae_zoo|Authenticated Encryption Zoo front page]]. In the following we specify the meaning of each column of the table and give what we consider valid options for each column. If you feel that a valid option is missing for a particular column, we encourage you to e-mail ''aezoo@compute.dtu.dk'' with your suggestions for changes. Without a doubt, opinions vary as to what e.g. an online cipher is, or what "misuse resistance" means. With our valid options below, we try to capture all definitions or levels of which a certain property is obtained, allowing for a good comparison of the candidates, and being fair to everyone. This classification follows the comprehensive study by Abed, Forler, and Lucks (see [[http://eprint.iacr.org/2014/792|ePrint report 2014/792]]). We would also like to acknowledge the slides from Daghstuhl 2014 by Bart Preneel, from which we have drawn inspiration for these guidelines. ==== Type ==== Specify the type of the scheme. Should be one of the following: * **BC**: block cipher based scheme * **SC**: stream cipher based scheme * **Sponge**: scheme based on Sponge construction (duplex or otherwise) * **P**: permutation based scheme * **CF**: scheme based on compression function ==== Primitive ==== Lists the underlying primitive used for the scheme. Possible entries are * **AES**: when the full AES-128 is used in a mode of operation or otherwise * **AES[r]**: when reduced r-round AES-128 is used * **Other named primitive**: e.g. Rijndael-256, PRESENT-80, SHA2, etc. * **Other construction types underlying the design**: e.g. LFSR, ARX, SPN, etc. ==== Parallel E/D ==== Specify separately whether the scheme is parallelizable in encryption (E) and decryption (D). Valid options are: * **+/+**: parallelizable in both encryption and decryption * **+/-**: parallelizable in encryption only * **-/+**: parallelizable in decryption only * **-/-**: neither parallelizable in encryption nor decryption ==== Online ==== Specify whether the scheme is online. An online cipher has the property that the encryption of message block $M_i$ depends only on message blocks $M_1,\ldots,M_{i-1}$. Valid options are: * **+**: scheme is online * **-**: scheme is offline ==== Inverse-free ==== Specifies whether the inverse of the underlying primitive is needed. Valid options are: * **+**: inverse not needed * **-**: inverse needed ==== Security proof ==== Specifies whether the scheme has a proof of security. Valid options are: * **+**: there is a proof of security * **-**: there is no proof of security ==== Nonce-MR ==== States the robustness of the scheme when nonces are repeated. We split the consideration up for **offline** schemes and **online** schemes separately. Valid entries for both are: * **NONE**: when no guarantee is given is nonces are repeated == For offline schemes == * **OFF-MAX**: when repeating a nonce leaks only the ability to see a repeated message * **OFF-SOME**: when //some// form of robustness is guaranteed (anywhere in between **NONE** and **OFF-MAX**) == For online schemes == * **ON-MAX**: all an adversary can learn is the longest common prefix of messages for repeated nonces * **ON-SOME**: when //some// form of robustness is guaranteed (anywhere in between **NONE** and **ON-MAX**)