zoo_guidelines

# Differences

This shows you the differences between two versions of the page.

 zoo_guidelines [06/10/2014 15:07:46]damianv [Type] zoo_guidelines [20/02/2015 09:53:58] (current)mmeh Both sides previous revision Previous revision 20/02/2015 09:53:58 mmeh 06/10/2014 15:07:46 damianv [Type] 02/10/2014 12:55:10 damianv [Type] 10/04/2014 14:45:46 mmeh [Inverse free] 10/04/2014 14:32:10 mmeh [Nonce MR] 10/04/2014 14:24:50 mmeh [Type] 10/04/2014 14:23:39 mmeh [Type] 10/04/2014 14:23:08 mmeh [Type] 19/03/2014 18:34:31 mmeh created 20/02/2015 09:53:58 mmeh 06/10/2014 15:07:46 damianv [Type] 02/10/2014 12:55:10 damianv [Type] 10/04/2014 14:45:46 mmeh [Inverse free] 10/04/2014 14:32:10 mmeh [Nonce MR] 10/04/2014 14:24:50 mmeh [Type] 10/04/2014 14:23:39 mmeh [Type] 10/04/2014 14:23:08 mmeh [Type] 19/03/2014 18:34:31 mmeh created Line 1: Line 1: ====== Authenticated Encryption Zoo Guidelines ====== ====== Authenticated Encryption Zoo Guidelines ====== - This wiki site specifies the guidelines for the AE Zoo. While everyone in the cryptographic community are encourated to participate and contribute to the Zoo, we, as zookeepers, ​hope that contributer will adhere to the guidelines posted on this page. + This wiki site specifies the guidelines for the AE Zoo. While everyone in the cryptographic community are encourated to participate and contribute to the Zoo, we, as zookeepers, ​ask that contributers ​adhere to the guidelines posted on this page. - ===== Guidelines: ​Features of AE Schemes ​===== + ===== Guidelines: ​Overview Table ===== The guidelines in this section refer to the AE scheme overview table found on the [[ae_zoo|Authenticated Encryption Zoo front page]]. In the following we specify the meaning of each column of the table and give what we consider valid options for each column. If you feel that a valid option is missing for a particular column, we encourage you to e-mail ''​aezoo@compute.dtu.dk''​ with your suggestions for changes. The guidelines in this section refer to the AE scheme overview table found on the [[ae_zoo|Authenticated Encryption Zoo front page]]. In the following we specify the meaning of each column of the table and give what we consider valid options for each column. If you feel that a valid option is missing for a particular column, we encourage you to e-mail ''​aezoo@compute.dtu.dk''​ with your suggestions for changes. - Without a doubt, opinions vary as to what e.g. an online cipher is. With our valid options below, we try to capture all definitions or levels of which a certain property is obtained, allowing for a good comparison of the candidates. + Without a doubt, opinions vary as to what e.g. an online cipher is, or what "​misuse resistance"​ means. With our valid options below, we try to capture all definitions or levels of which a certain property is obtained, allowing for a good comparison of the candidates, and being fair to everyone. - For candidates containing several, say K, parameter sets, and where properties differ across these parameter sets, we suggest to comma-separate the properties for each set, such that the ith option in the comma-separated lists across all columns of the table correspond to the same parameter set of that particular candidate. + This classification follows the comprehensive study by Abed, Forler, and Lucks (see [[http://​eprint.iacr.org/​2014/​792|ePrint report 2014/792]]). We would also like to acknowledge the slides from Daghstuhl 2014 by Bart Preneel, from which we have drawn inspiration for these guidelines. - + - We would like to acknowledge the slides from Daghstuhl 2014 by Bart Preneel, from which we have drawn inspiration for these guidelines. + ==== Type ==== ==== Type ==== - Specify the type of the scheme(s). The format should ​be **MAINTYPE/​SUBTYPE**, where **MAINTYPE** is one of + Specify the type of the scheme. ​Should ​be one of the following:​ - * **BC** (when the scheme ​is based on a block cipher) + ​* **BC**: block cipher based scheme - * **P** (when the scheme is based on a permutation) + ​* **SC**: stream cipher based scheme - * **Other** (when none of the first two apply) + * **Sponge**: scheme based on Sponge construction (duplex or otherwise) - and **SUBTYPE** is one of + * **P**: permutation ​based scheme - * **AES-K** (when the underlying block cipher is unmodified AES with key size K. Omit -K for AES-128) + * **CF**: scheme based on compression function - * **AES-K[n]** (when the underlying block cipher is n rounds of AES with key size K. Omit -K for AES-128) + - * **AES-like** (when based on some modified version of AES) + ==== Primitive ==== - * **Named BC** (e.g. LED-80, when some other named block cipher ​is used) + Lists the underlying primitive used for the scheme. Possible entries are - * **Sponge[p]** (when based on a Sponge-like construction. Can replace p with a named permutation,​ which can either be part of the submission or existing permutation, e.g. Keccak) + * **AES**: when the full AES-128 ​is used in a mode of operation or otherwise - * **FSR** (based on feedback shift register(s)) + * **AES[r]**: when reduced r-round AES-128 ​is used - * **ARX** (modular addition, rotation and XOR) + * **Other named primitive**: e.g. Rijndael-256,​ PRESENT-80, SHA2, etc. - * **LRX** (logical operations, rotation and XOR) + * **Other construction types underlying the design**: e.g. LFSR, ARX, SPN, etc. - * **Comp[f]** (when based on a compression function. Can replace f with a named compression function, which can either be part of the submission or existing compression function, e.g. SHA256) + + ==== Parallel E/D ==== + Specify separately whether the scheme ​is parallelizable in encryption (E) and decryption (D). Valid options are: + * **+/+**: parallelizable in both encryption and decryption + * **+/-**: parallelizable in encryption only + * **-/+**: parallelizable in decryption only + * **-/-**: neither parallelizable in encryption nor decryption + + ==== Online ==== + Specify whether the scheme is online. An online cipher has the property that the encryption of message block $M_i$ depends only on message blocks $M_1,\ldots,​M_{i-1}$. Valid options are: + * **+**: scheme is online + * **-**: scheme is offline + + ==== Inverse-free ==== + Specifies whether the inverse of the underlying primitive is needed. Valid options are: + * **+**: inverse not needed + * **-**: inverse needed + + ==== Security proof ==== + Specifies whether the scheme has a proof of security. Valid options are: + * **+**: there is a proof of security + * **-**: there is no proof of security + + ==== Nonce-MR ==== + States ​the robustness of the scheme when nonces are repeated. We split the consideration up for **offline** schemes and **online** schemes separately. Valid entries for both are: + * **NONE**: when no guarantee is given is nonces are repeated - To specify several options for parameter sets, curly braces can be used, e.g. BC/​{AES,​LED-80} for a block cipher based scheme which uses AES-128 and LED-80. + == For offline schemes ​== - ==== Parallelizable (E/D) ==== + * **OFF-MAX**: when repeating ​a nonce leaks only the ability to see a repeated message - Specify separately whether the scheme is parallelizable in encryption (E) and decryption (D). Valid options for both cases are: + * **OFF-SOME**: when //some// form of robustness is guaranteed ​(anywhere in between ​**NONE** and **OFF-MAX**) - * **Fully** (if there is a separation of the data into b chunks, such that each of these chunks of data can be **fully** processed independently of the others, allowing for constant overhead) + - * **Partly** (if there is a separation of the data into b chunks, such that each of these chunks of data can **partly** be processed independently of the others, allowing for constant overhead) + - * **No** (if none of the above apply) + - ==== Online (E/D) ==== + == For online schemes ​== - Specify separately whether the scheme is online in encryption (E) and decryption (D). Valid options for both cases are: + * **ON-MAX**: all an adversary ​can learn is the longest common prefix ​of messages for repeated nonces - * **Fully** (if the scheme ​can process data, and output processed data, on-the-fly, using only constant memory, and **not needing to know the length ​of data**) + * **ON-SOME**: when //some// form of robustness is guaranteed (anywhere in between ​**NONE** and **ON-MAX**) - * **Needs length** (when the above applies, except one needs to know the length ​of data) + - * **No** + - ==== Nonce MR ==== - State the schemes resistance towards nonce misuse. Here, the nonce is defined as the tuple consisting of private message number and public message number. Valid options are: - * **MAX** (leaks only whether a plaintext is repeated) - * **MAX online** (leaks only the LCP (longest common prefix) of plaintexts) - * **LCP+X** (leaks LCP and XOR of next plaintext block) - * **A+N** (when there is some level of security if all associated data + nonce pairs are unique) - * **None** (when all security is lost if nonce is repeated) - - ==== Inverse free ==== - State whether the scheme requires the inverse of the underlying primitive. ONLY applicable for block cipher- or permutation-based modes. Valid options are: - * **Yes** - * **No** - * **N/A** (for when not applicable, see above)