zoo_guidelines

# Authenticated Encryption Zoo Guidelines

This wiki site specifies the guidelines for the AE Zoo. While everyone in the cryptographic community are encourated to participate and contribute to the Zoo, we, as zookeepers, ask that contributers adhere to the guidelines posted on this page.

## Guidelines: Overview Table

The guidelines in this section refer to the AE scheme overview table found on the Authenticated Encryption Zoo front page. In the following we specify the meaning of each column of the table and give what we consider valid options for each column. If you feel that a valid option is missing for a particular column, we encourage you to e-mail aezoo@compute.dtu.dk with your suggestions for changes.

Without a doubt, opinions vary as to what e.g. an online cipher is, or what “misuse resistance” means. With our valid options below, we try to capture all definitions or levels of which a certain property is obtained, allowing for a good comparison of the candidates, and being fair to everyone.

This classification follows the comprehensive study by Abed, Forler, and Lucks (see ePrint report 2014/792). We would also like to acknowledge the slides from Daghstuhl 2014 by Bart Preneel, from which we have drawn inspiration for these guidelines.

### Type

Specify the type of the scheme. Should be one of the following:

• BC: block cipher based scheme
• SC: stream cipher based scheme
• Sponge: scheme based on Sponge construction (duplex or otherwise)
• P: permutation based scheme
• CF: scheme based on compression function

### Primitive

Lists the underlying primitive used for the scheme. Possible entries are

• AES: when the full AES-128 is used in a mode of operation or otherwise
• AES[r]: when reduced r-round AES-128 is used
• Other named primitive: e.g. Rijndael-256, PRESENT-80, SHA2, etc.
• Other construction types underlying the design: e.g. LFSR, ARX, SPN, etc.

### Parallel E/D

Specify separately whether the scheme is parallelizable in encryption (E) and decryption (D). Valid options are:

• +/+: parallelizable in both encryption and decryption
• +/-: parallelizable in encryption only
• -/+: parallelizable in decryption only
• -/-: neither parallelizable in encryption nor decryption

### Online

Specify whether the scheme is online. An online cipher has the property that the encryption of message block $M_i$ depends only on message blocks $M_1,\ldots,M_{i-1}$. Valid options are:

• +: scheme is online
• -: scheme is offline

### Inverse-free

Specifies whether the inverse of the underlying primitive is needed. Valid options are:

• +: inverse not needed
• -: inverse needed

### Security proof

Specifies whether the scheme has a proof of security. Valid options are:

• +: there is a proof of security
• -: there is no proof of security

### Nonce-MR

States the robustness of the scheme when nonces are repeated. We split the consideration up for offline schemes and online schemes separately. Valid entries for both are:

• NONE: when no guarantee is given is nonces are repeated
##### For offline schemes
• OFF-MAX: when repeating a nonce leaks only the ability to see a repeated message
• OFF-SOME: when some form of robustness is guaranteed (anywhere in between NONE and OFF-MAX)
##### For online schemes
• ON-MAX: all an adversary can learn is the longest common prefix of messages for repeated nonces
• ON-SOME: when some form of robustness is guaranteed (anywhere in between NONE and ON-MAX)