In the following we specify the meaning of each column of the table and give what we consider valid options for each column. If you feel that a valid option is missing for a particular column, we encourage you to e-mail aezoo@compute.dtu.dk with your suggestions for changes.

With no doubt, opinions vary as to what e.g. an online cipher is. With our valid options below, we try to capture all definitions or levels of which a certain property is obtained, allowing for a good comparison of the candidates.

For candidates containing several, say K, parameter sets, and where properties differ across these parameter sets, we suggest to comma-separate the properties for each set, such that the ith option in the comma-separated lists across all columns of the table correspond to the same parameter set of that particular candidate.

Specify the primitive(s) underlying the construction. Valid options are:

• AES-based (assumed AES-128)
• AES-K-based (when K != 128)
• AES[n]-based (where n is any number of rounds deviating from the standard # of rounds for base AES-K (see above). Examples: AES[4] is 4 rounds of AES-128 and AES-256[4] is 4 rounds of AES-256)
• AES-like (based on some modified version of AES)
• Sponge[P] (where P is a named permutation. Can either be part of the submission or existing permutation)
• FSR (based on feedback shift register(s))
• ARX (modular addition, rotation and XOR)
• LRX (logical operations, rotation and XOR)

Specify separately whether the scheme is parallelizable in encryption (E) and decryption (D). Valid options for both cases are:

• Fully (if there is a separation of the data into b chunks, such that each of these chunks of data can be fully processed independently of the others, allowing for constant overhead)
• Partly (if there is a separation of the data into b chunks, such that each of these chunks of data can partly be processed independently of the others, allowing for constant overhead)
• No (if none of the above apply)

Specify separately whether the scheme is online in encryption (E) and decryption (D). Valid options for both cases are:

• Fully (if the scheme can process data, and output processed data, on-the-fly, using only constant memory, and not needing to know the length of data)
• Needs length (when the above applies, except one needs to know the length of data)
• No

State the schemes resistance towards nonce misuse. Here, the nonce is defined as the tuple consisting of private message number and public message number. Valid options are:

• MAX (leaks only whether a plaintext is repeated)
• MAX online (leaks only the LCP (longest common prefix) of plaintexts)
• LCP+X (leaks LCP and XOR of next plaintext block)
• None (when all security is lost if nonce is repeated)

State whether the scheme requires the inverse of the underlying primitive when considering . ONLY applicable for block cipher- or permutation-based modes. Valid options are:

• Yes
• No
• N/A (for when not applicable, see above)