2 May 2012
DIAC: Directions in Authenticated Ciphers
Previous in this thread:
0294.htm Cryptographers vs. Software Engineers April 28, 2012
Date: 3 May 2012 01:00:52 -0000
From: "D. J. Bernstein" <djb[at]cr.yp.to>
To: cryptography[at]randombit.net
Subject: [cryptography] DIAC: Directions in Authenticated Ciphers
The DIAC submission page is now open, with a deadline at the end of Monday
7 May (American Samoa time):
http://hyperelliptic.org/conferences/diac/iChair/submit.php
DIAC is an ECRYPT-sponsored workshop that will take place 5 - 6 July in
Stockholm, in particular evaluating the idea of a new competition for
authenticated ciphers. The call for papers asks for submissions on new
components, combinations, attacks, and implementations, but also asks for
submissions discussing requirements -- what users actually want. Submissions
of panel proposals, white papers, lists of desiderata, etc. are encouraged,
and there are no particular length requirements.
I should emphasize that an authenticated-cipher competition would be much
more than an "AE mode" competition. There are certainly people working on
new ways to use AES, but there are many more people working on new
authenticators, new block ciphers, new stream ciphers, new ciphers with built-in
authentication mechanisms, etc.
Zooko Wilcox-O'Hearn writes:
authenticated encryption can't satisfy any of my use cases!
Of course it can! Evidently you to want to combine it with public-key signatures,
which will render the secret-key authenticator useless, so for efficiency
you'd like to suppress that authenticator. This doesn't work well with something
like AES-OCB3, but it does work well with something like AES-GCM,
giving you AES-CTR.
There are clear engineering advantages to having an AES-CTR module that's
reused by AES-GCM (for applications that want the authentication) and by
Tahoe-LAFS. On the other hand, AES-OCB3 encrypts faster. If you help people
see Tahoe-LAFS as part of this picture then you have a chance of influencing
future work in a way that you'd find useful.
Let me again emphasize that these AES modes are only one corner of the
authenticated-ciphers topic. If we do in fact end up with hundreds of
cryptographers working on authenticated ciphers for years then I wouldn't
bet on AES (or GCM, or OCB3) being part of the final result.
ianG writes:
the cryptographer's push for AE mode is simply the creation of a more perfect
hammer, when our real worries are about the building, not the nail.
I agree that the building is in sorry shape, but you shouldn't paint an overly
positive view of the current hammer. Here are a few recent and ongoing examples
of failures of secret-key cryptography:
* OpenSSH leaking some plaintext (Albrecht, Paterson, Watson).
* OpenSSL DTLS leaking much more plaintext (AlFardan, Paterson).
* TLS leaking cookies et al. (Dai, Moeller, Bard, Duong, Rizzo).
* EAXprime (Smart Grid) allowing fast forgeries (Minematsu et al.).
* Many breaks in "encrypt only; authentication is too slow" IPsec.
* Keeloq door/car/garage RFID completely broken (Eisenbarth et al.).
* More broken "AES is too big" RFID proposals: HB, HB+, etc.
To summarize: Yes, non-cryptographic security is a disaster, but cryptography
is a disaster too. :-)
---D. J. Bernstein
Research Professor, Computer Science, University of Illinois at Chicago
_______________________________________________
cryptography mailing
list
cryptography[at]randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
|