|
||
|
2 May 2012 DIAC: Directions in Authenticated Ciphers Previous in this thread: 0294.htm Cryptographers vs. Software Engineers April 28, 2012
Date: 3 May 2012 01:00:52 -0000 The DIAC submission page is now open, with a deadline at the end of Monday 7 May (American Samoa time): http://hyperelliptic.org/conferences/diac/iChair/submit.php DIAC is an ECRYPT-sponsored workshop that will take place 5 - 6 July in Stockholm, in particular evaluating the idea of a new competition for authenticated ciphers. The call for papers asks for submissions on new components, combinations, attacks, and implementations, but also asks for submissions discussing requirements -- what users actually want. Submissions of panel proposals, white papers, lists of desiderata, etc. are encouraged, and there are no particular length requirements. I should emphasize that an authenticated-cipher competition would be much more than an "AE mode" competition. There are certainly people working on new ways to use AES, but there are many more people working on new authenticators, new block ciphers, new stream ciphers, new ciphers with built-in authentication mechanisms, etc. Zooko Wilcox-O'Hearn writes: authenticated encryption can't satisfy any of my use cases! Of course it can! Evidently you to want to combine it with public-key signatures, which will render the secret-key authenticator useless, so for efficiency you'd like to suppress that authenticator. This doesn't work well with something like AES-OCB3, but it does work well with something like AES-GCM, giving you AES-CTR. There are clear engineering advantages to having an AES-CTR module that's reused by AES-GCM (for applications that want the authentication) and by Tahoe-LAFS. On the other hand, AES-OCB3 encrypts faster. If you help people see Tahoe-LAFS as part of this picture then you have a chance of influencing future work in a way that you'd find useful. Let me again emphasize that these AES modes are only one corner of the authenticated-ciphers topic. If we do in fact end up with hundreds of cryptographers working on authenticated ciphers for years then I wouldn't bet on AES (or GCM, or OCB3) being part of the final result. ianG writes: the cryptographer's push for AE mode is simply the creation of a more perfect hammer, when our real worries are about the building, not the nail. I agree that the building is in sorry shape, but you shouldn't paint an overly positive view of the current hammer. Here are a few recent and ongoing examples of failures of secret-key cryptography: * OpenSSH leaking some plaintext (Albrecht, Paterson, Watson). To summarize: Yes, non-cryptographic security is a disaster, but cryptography is a disaster too. :-) ---D. J. Bernstein Research Professor, Computer Science, University of Illinois at Chicago _______________________________________________
cryptography mailing
list
|