User Tools

Site Tools


zoo_guidelines

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
zoo_guidelines [06/10/2014 17:07:46]
damianv [Type]
zoo_guidelines [20/02/2015 10:53:58] (current)
mmeh
Line 1: Line 1:
 ====== Authenticated Encryption Zoo Guidelines ====== ====== Authenticated Encryption Zoo Guidelines ======
-This wiki site specifies the guidelines for the AE Zoo. While everyone in the cryptographic community are encourated to participate and contribute to the Zoo, we, as zookeepers, ​hope that contributer will adhere to the guidelines posted on this page.+This wiki site specifies the guidelines for the AE Zoo. While everyone in the cryptographic community are encourated to participate and contribute to the Zoo, we, as zookeepers, ​ask that contributers ​adhere to the guidelines posted on this page.
  
-===== Guidelines: ​Features of AE Schemes ​=====+===== Guidelines: ​Overview Table =====
 The guidelines in this section refer to the AE scheme overview table found on the [[ae_zoo|Authenticated Encryption Zoo front page]]. In the following we specify the meaning of each column of the table and give what we consider valid options for each column. If you feel that a valid option is missing for a particular column, we encourage you to e-mail ''​aezoo@compute.dtu.dk''​ with your suggestions for changes. The guidelines in this section refer to the AE scheme overview table found on the [[ae_zoo|Authenticated Encryption Zoo front page]]. In the following we specify the meaning of each column of the table and give what we consider valid options for each column. If you feel that a valid option is missing for a particular column, we encourage you to e-mail ''​aezoo@compute.dtu.dk''​ with your suggestions for changes.
  
-Without a doubt, opinions vary as to what e.g. an online cipher is. With our valid options below, we try to capture all definitions or levels of which a certain property is obtained, allowing for a good comparison of the candidates.+Without a doubt, opinions vary as to what e.g. an online cipher is, or what "​misuse resistance"​ means. With our valid options below, we try to capture all definitions or levels of which a certain property is obtained, allowing for a good comparison of the candidates, and being fair to everyone.
  
-For candidates containing severalsay K, parameter sets, and where properties differ across these parameter sets, we suggest to comma-separate the properties for each set, such that the ith option in the comma-separated lists across all columns of the table correspond to the same parameter set of that particular candidate. +This classification follows the comprehensive study by AbedForler, and Lucks (see [[http://​eprint.iacr.org/​2014/​792|ePrint report 2014/792]]). We would also like to acknowledge the slides from Daghstuhl 2014 by Bart Preneel, from which we have drawn inspiration for these guidelines.
- +
-We would like to acknowledge the slides from Daghstuhl 2014 by Bart Preneel, from which we have drawn inspiration for these guidelines.+
  
 ==== Type ==== ==== Type ====
-Specify the type of the scheme(s)The format should ​be **MAINTYPE/​SUBTYPE**, where **MAINTYPE** is one of +Specify the type of the scheme. ​Should ​be one of the following:​ 
- * **BC** (when the scheme ​is based on a block cipher+  ​* **BC**: block cipher based scheme 
- * **P** (when the scheme is based on a permutation) +  ​* **SC**: stream cipher based scheme 
- * **Other** (when none of the first two apply) +  * **Sponge**scheme based on Sponge construction (duplex or otherwise
-and **SUBTYPE** is one of +  * **P**permutation ​based scheme 
- * **AES-K** (when the underlying block cipher is unmodified AES with key size K. Omit -K for AES-128) +  * **CF**: scheme based on compression function 
- * **AES-K[n]** (when the underlying block cipher is n rounds of AES with key size K. Omit -K for AES-128) + 
- * **AES-like** (when based on some modified version of AES) +==== Primitive ==== 
- * **Named BC** (e.g. LED-80when some other named block cipher ​is used+Lists the underlying primitive used for the scheme. Possible entries are 
- * **Sponge[p]** (when based on a Sponge-like constructionCan replace p with a named permutation,​ which can either be part of the submission or existing permutatione.g. Keccak) +  * **AES**when the full AES-128 ​is used in a mode of operation or otherwise 
- * **FSR** (based on feedback shift register(s)) +  * **AES[r]**when reduced r-round AES-128 ​is used 
- * **ARX** (modular addition, rotation and XOR) +  * **Other named primitive**: e.g. Rijndael-256,​ PRESENT-80, SHA2, etc. 
- * **LRX** (logical operations, rotation and XOR) +  * **Other construction types underlying the design**e.g. LFSRARX, SPN, etc. 
- * **Comp[f]** (when based on compression functionCan replace f with named compression function, which can either be part of the submission or existing compression function, e.gSHA256)+ 
 +==== Parallel E/D ==== 
 +Specify separately whether the scheme ​is parallelizable in encryption (Eand decryption (D). Valid options are: 
 +  * **+/+**: parallelizable in both encryption and decryption 
 +  * **+/-**: parallelizable in encryption only 
 +  * **-/+**: parallelizable in decryption only 
 +  * **-/-**: neither parallelizable in encryption nor decryption 
 + 
 +==== Online ==== 
 +Specify whether the scheme is onlineAn online cipher has the property that the encryption of message block $M_i$ depends only on message blocks $M_1,\ldots,​M_{i-1}$Valid options are: 
 +  * **+**: scheme is online 
 +  * **-**: scheme is offline 
 + 
 +==== Inverse-free ==== 
 +Specifies whether the inverse of the underlying primitive is needed. Valid options are: 
 +  * **+**: inverse not needed 
 +  * **-**: inverse needed 
 + 
 +==== Security proof ==== 
 +Specifies whether the scheme has proof of securityValid options are: 
 +  * **+**: there is proof of security 
 +  * **-**: there is no proof of security 
 + 
 +==== Nonce-MR ==== 
 +States ​the robustness of the scheme when nonces are repeatedWe split the consideration up for **offline** schemes and **online** schemes separatelyValid entries for both are: 
 +  * **NONE**: when no guarantee is given is nonces are repeated
  
-To specify several options for parameter sets, curly braces can be used, e.g. BC/​{AES,​LED-80} for a block cipher based scheme which uses AES-128 and LED-80. +== For offline schemes ​== 
-==== Parallelizable (E/D) ==== +  * **OFF-MAX**: when repeating ​nonce leaks only the ability to see a repeated message 
-Specify separately whether the scheme is parallelizable in encryption (E) and decryption (D). Valid options for both cases are: +  * **OFF-SOME**: when //some// form of robustness is guaranteed ​(anywhere in between ​**NONE** and **OFF-MAX**)
- * **Fully** (if there is separation of the data into b chunks, such that each of these chunks of data can be **fully** processed independently of the others, allowing for constant overhead) +
- * **Partly** (if there is a separation of the data into b chunks, such that each of these chunks of data can **partly** be processed independently of the others, allowing for constant overhead) +
- * **No** (if none of the above apply)+
  
-==== Online (E/D) ==== +== For online schemes ​== 
-Specify separately whether the scheme is online in encryption (E) and decryption (D). Valid options for both cases are: +  * **ON-MAX**: all an adversary ​can learn is the longest common prefix ​of messages for repeated nonces 
- * **Fully** (if the scheme ​can process data, and output processed data, on-the-fly, using only constant memory, and **not needing to know the length ​of data**) +  * **ON-SOME**when //some// form of robustness is guaranteed (anywhere in between ​**NONE** and **ON-MAX**)
- * **Needs length** (when the above applies, except one needs to know the length ​of data) +
- * **No**+
  
-==== Nonce MR ==== 
-State the schemes resistance towards nonce misuse. Here, the nonce is defined as the tuple consisting of private message number and public message number. Valid options are: 
- * **MAX** (leaks only whether a plaintext is repeated) 
- * **MAX online** (leaks only the LCP (longest common prefix) of plaintexts) 
- * **LCP+X** (leaks LCP and XOR of next plaintext block) 
- * **A+N** (when there is some level of security if all associated data + nonce pairs are unique) 
- * **None** (when all security is lost if nonce is repeated) 
-  
-==== Inverse free ==== 
-State whether the scheme requires the inverse of the underlying primitive. ONLY applicable for block cipher- or permutation-based modes. Valid options are: 
- * **Yes** 
- * **No** 
- * **N/A** (for when not applicable, see above) 
zoo_guidelines.txt · Last modified: 20/02/2015 10:53:58 by mmeh