Donate for the Cryptome archive of files from June 1996 to the present

2 May 2012

DIAC: Directions in Authenticated Ciphers

Previous in this thread:

0294.htm   Cryptographers vs. Software Engineers   April 28, 2012


Date: 3 May 2012 01:00:52 -0000
From: "D. J. Bernstein" <djb[at]cr.yp.to>
To: cryptography[at]randombit.net
Subject: [cryptography] DIAC: Directions in Authenticated Ciphers

The DIAC submission page is now open, with a deadline at the end of Monday 7 May (American Samoa time):

http://hyperelliptic.org/conferences/diac/iChair/submit.php

DIAC is an ECRYPT-sponsored workshop that will take place 5 - 6 July in Stockholm, in particular evaluating the idea of a new competition for authenticated ciphers. The call for papers asks for submissions on new components, combinations, attacks, and implementations, but also asks for submissions discussing requirements -- what users actually want. Submissions of panel proposals, white papers, lists of desiderata, etc. are encouraged, and there are no particular length requirements.

I should emphasize that an authenticated-cipher competition would be much more than an "AE mode" competition. There are certainly people working on new ways to use AES, but there are many more people working on new authenticators, new block ciphers, new stream ciphers, new ciphers with built-in authentication mechanisms, etc.

Zooko Wilcox-O'Hearn writes:

authenticated encryption can't satisfy any of my use cases!

Of course it can! Evidently you to want to combine it with public-key signatures, which will render the secret-key authenticator useless, so for efficiency you'd like to suppress that authenticator. This doesn't work well with something like AES-OCB3, but it does work well with something like AES-GCM, giving you AES-CTR.

There are clear engineering advantages to having an AES-CTR module that's reused by AES-GCM (for applications that want the authentication) and by Tahoe-LAFS. On the other hand, AES-OCB3 encrypts faster. If you help people see Tahoe-LAFS as part of this picture then you have a chance of influencing future work in a way that you'd find useful.

Let me again emphasize that these AES modes are only one corner of the authenticated-ciphers topic. If we do in fact end up with hundreds of cryptographers working on authenticated ciphers for years then I wouldn't bet on AES (or GCM, or OCB3) being part of the final result.

ianG writes:

the cryptographer's push for AE mode is simply the creation of a more perfect hammer, when our real worries are about the building, not the nail.

I agree that the building is in sorry shape, but you shouldn't paint an overly positive view of the current hammer. Here are a few recent and ongoing examples of failures of secret-key cryptography:

* OpenSSH leaking some plaintext (Albrecht, Paterson, Watson).

* OpenSSL DTLS leaking much more plaintext (AlFardan, Paterson).

* TLS leaking cookies et al. (Dai, Moeller, Bard, Duong, Rizzo).

* EAXprime (Smart Grid) allowing fast forgeries (Minematsu et al.).

* Many breaks in "encrypt only; authentication is too slow" IPsec.

* Keeloq door/car/garage RFID completely broken (Eisenbarth et al.).

* More broken "AES is too big" RFID proposals: HB, HB+, etc.

To summarize: Yes, non-cryptographic security is a disaster, but cryptography is a disaster too. :-)

---D. J. Bernstein

Research Professor, Computer Science, University of Illinois at Chicago

_______________________________________________

cryptography mailing list
cryptography[at]randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography