This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
zoo_guidelines [06/10/2014 15:07:46] damianv [Type] |
zoo_guidelines [20/02/2015 09:53:58] (current) mmeh |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Authenticated Encryption Zoo Guidelines ====== | ====== Authenticated Encryption Zoo Guidelines ====== | ||
- | This wiki site specifies the guidelines for the AE Zoo. While everyone in the cryptographic community are encourated to participate and contribute to the Zoo, we, as zookeepers, hope that contributer will adhere to the guidelines posted on this page. | + | This wiki site specifies the guidelines for the AE Zoo. While everyone in the cryptographic community are encourated to participate and contribute to the Zoo, we, as zookeepers, ask that contributers adhere to the guidelines posted on this page. |
- | ===== Guidelines: Features of AE Schemes ===== | + | ===== Guidelines: Overview Table ===== |
The guidelines in this section refer to the AE scheme overview table found on the [[ae_zoo|Authenticated Encryption Zoo front page]]. In the following we specify the meaning of each column of the table and give what we consider valid options for each column. If you feel that a valid option is missing for a particular column, we encourage you to e-mail ''aezoo@compute.dtu.dk'' with your suggestions for changes. | The guidelines in this section refer to the AE scheme overview table found on the [[ae_zoo|Authenticated Encryption Zoo front page]]. In the following we specify the meaning of each column of the table and give what we consider valid options for each column. If you feel that a valid option is missing for a particular column, we encourage you to e-mail ''aezoo@compute.dtu.dk'' with your suggestions for changes. | ||
- | Without a doubt, opinions vary as to what e.g. an online cipher is. With our valid options below, we try to capture all definitions or levels of which a certain property is obtained, allowing for a good comparison of the candidates. | + | Without a doubt, opinions vary as to what e.g. an online cipher is, or what "misuse resistance" means. With our valid options below, we try to capture all definitions or levels of which a certain property is obtained, allowing for a good comparison of the candidates, and being fair to everyone. |
- | For candidates containing several, say K, parameter sets, and where properties differ across these parameter sets, we suggest to comma-separate the properties for each set, such that the ith option in the comma-separated lists across all columns of the table correspond to the same parameter set of that particular candidate. | + | This classification follows the comprehensive study by Abed, Forler, and Lucks (see [[http://eprint.iacr.org/2014/792|ePrint report 2014/792]]). We would also like to acknowledge the slides from Daghstuhl 2014 by Bart Preneel, from which we have drawn inspiration for these guidelines. |
- | + | ||
- | We would like to acknowledge the slides from Daghstuhl 2014 by Bart Preneel, from which we have drawn inspiration for these guidelines. | + | |
==== Type ==== | ==== Type ==== | ||
- | Specify the type of the scheme(s). The format should be **MAINTYPE/SUBTYPE**, where **MAINTYPE** is one of | + | Specify the type of the scheme. Should be one of the following: |
- | * **BC** (when the scheme is based on a block cipher) | + | * **BC**: block cipher based scheme |
- | * **P** (when the scheme is based on a permutation) | + | * **SC**: stream cipher based scheme |
- | * **Other** (when none of the first two apply) | + | * **Sponge**: scheme based on Sponge construction (duplex or otherwise) |
- | and **SUBTYPE** is one of | + | * **P**: permutation based scheme |
- | * **AES-K** (when the underlying block cipher is unmodified AES with key size K. Omit -K for AES-128) | + | * **CF**: scheme based on compression function |
- | * **AES-K[n]** (when the underlying block cipher is n rounds of AES with key size K. Omit -K for AES-128) | + | |
- | * **AES-like** (when based on some modified version of AES) | + | ==== Primitive ==== |
- | * **Named BC** (e.g. LED-80, when some other named block cipher is used) | + | Lists the underlying primitive used for the scheme. Possible entries are |
- | * **Sponge[p]** (when based on a Sponge-like construction. Can replace p with a named permutation, which can either be part of the submission or existing permutation, e.g. Keccak) | + | * **AES**: when the full AES-128 is used in a mode of operation or otherwise |
- | * **FSR** (based on feedback shift register(s)) | + | * **AES[r]**: when reduced r-round AES-128 is used |
- | * **ARX** (modular addition, rotation and XOR) | + | * **Other named primitive**: e.g. Rijndael-256, PRESENT-80, SHA2, etc. |
- | * **LRX** (logical operations, rotation and XOR) | + | * **Other construction types underlying the design**: e.g. LFSR, ARX, SPN, etc. |
- | * **Comp[f]** (when based on a compression function. Can replace f with a named compression function, which can either be part of the submission or existing compression function, e.g. SHA256) | + | |
+ | ==== Parallel E/D ==== | ||
+ | Specify separately whether the scheme is parallelizable in encryption (E) and decryption (D). Valid options are: | ||
+ | * **+/+**: parallelizable in both encryption and decryption | ||
+ | * **+/-**: parallelizable in encryption only | ||
+ | * **-/+**: parallelizable in decryption only | ||
+ | * **-/-**: neither parallelizable in encryption nor decryption | ||
+ | |||
+ | ==== Online ==== | ||
+ | Specify whether the scheme is online. An online cipher has the property that the encryption of message block $M_i$ depends only on message blocks $M_1,\ldots,M_{i-1}$. Valid options are: | ||
+ | * **+**: scheme is online | ||
+ | * **-**: scheme is offline | ||
+ | |||
+ | ==== Inverse-free ==== | ||
+ | Specifies whether the inverse of the underlying primitive is needed. Valid options are: | ||
+ | * **+**: inverse not needed | ||
+ | * **-**: inverse needed | ||
+ | |||
+ | ==== Security proof ==== | ||
+ | Specifies whether the scheme has a proof of security. Valid options are: | ||
+ | * **+**: there is a proof of security | ||
+ | * **-**: there is no proof of security | ||
+ | |||
+ | ==== Nonce-MR ==== | ||
+ | States the robustness of the scheme when nonces are repeated. We split the consideration up for **offline** schemes and **online** schemes separately. Valid entries for both are: | ||
+ | * **NONE**: when no guarantee is given is nonces are repeated | ||
- | To specify several options for parameter sets, curly braces can be used, e.g. BC/{AES,LED-80} for a block cipher based scheme which uses AES-128 and LED-80. | + | == For offline schemes == |
- | ==== Parallelizable (E/D) ==== | + | * **OFF-MAX**: when repeating a nonce leaks only the ability to see a repeated message |
- | Specify separately whether the scheme is parallelizable in encryption (E) and decryption (D). Valid options for both cases are: | + | * **OFF-SOME**: when //some// form of robustness is guaranteed (anywhere in between **NONE** and **OFF-MAX**) |
- | * **Fully** (if there is a separation of the data into b chunks, such that each of these chunks of data can be **fully** processed independently of the others, allowing for constant overhead) | + | |
- | * **Partly** (if there is a separation of the data into b chunks, such that each of these chunks of data can **partly** be processed independently of the others, allowing for constant overhead) | + | |
- | * **No** (if none of the above apply) | + | |
- | ==== Online (E/D) ==== | + | == For online schemes == |
- | Specify separately whether the scheme is online in encryption (E) and decryption (D). Valid options for both cases are: | + | * **ON-MAX**: all an adversary can learn is the longest common prefix of messages for repeated nonces |
- | * **Fully** (if the scheme can process data, and output processed data, on-the-fly, using only constant memory, and **not needing to know the length of data**) | + | * **ON-SOME**: when //some// form of robustness is guaranteed (anywhere in between **NONE** and **ON-MAX**) |
- | * **Needs length** (when the above applies, except one needs to know the length of data) | + | |
- | * **No** | + | |
- | ==== Nonce MR ==== | ||
- | State the schemes resistance towards nonce misuse. Here, the nonce is defined as the tuple consisting of private message number and public message number. Valid options are: | ||
- | * **MAX** (leaks only whether a plaintext is repeated) | ||
- | * **MAX online** (leaks only the LCP (longest common prefix) of plaintexts) | ||
- | * **LCP+X** (leaks LCP and XOR of next plaintext block) | ||
- | * **A+N** (when there is some level of security if all associated data + nonce pairs are unique) | ||
- | * **None** (when all security is lost if nonce is repeated) | ||
- | |||
- | ==== Inverse free ==== | ||
- | State whether the scheme requires the inverse of the underlying primitive. ONLY applicable for block cipher- or permutation-based modes. Valid options are: | ||
- | * **Yes** | ||
- | * **No** | ||
- | * **N/A** (for when not applicable, see above) |