Input: key K, nonce N, message M

Output: ciphertext C, authentication tag T

Confidentiality, integrity, authenticity of M

IPsec, SSH, TLS, etc.

Input: key K, nonce N, message M, additional data H

Ouput: ciphertext C, authentication tag T

Integrity & authenticity covers H

E.g. for datagrams parts that need remain in clear

• Encrypt-and-MAC (as in SSH)
• MAC-then-encrypt (as in TLS)
• Encrypt-then-MAC (as in IPsec, best in theory)

Examples:

• AEAD_AES_128_CBC_HMAC_SHA_256
AEAD_CHACHA20_POLY1305

Block cipher modes

• CCM, GCM (NIST-standardized, minor issues)
• OCB (patented but mostly free to use)
• EAX

Authenticated ciphers:

• Grain-128a
• Helix / Phelix (kinda broken)

Sponge functions...

• Security: reduced attack surface
• Speed: one pass, easier to optimize
• Cost: less code/logic, lower power, etc.
• Usability: fewer parameters to choose

Identify a portfolio of authenticated ciphers that offer advantages over AES-GCM (the current de-facto standard) and are suitable for widespread adoption.

March 15 2014 – End of 2017

Led by DJB, with a committee of 22 cryptographers

Sponsored by but not organized/controlled by NIST

http://competitions.cr.yp.to/caesar.html

The AEAD standard:

• NSA Suite B
• NIST SP 800-38D
• IETF: IPsec, SSH, TLS 1.2
• IEEE P1619.1 tape storage
• IEEE 802.1AE (MACsec), 802.11ad (WiGig)
• etc. etc.

Unnecessarily complex

Fast only if AES/Galois field arithmetic HW support is available, like AES-NI

Without HW support: constant-time implementations even more complicated

Authentication key recovery if nonce is reused

ACORN	++AE	AEGIS	AES-CMCC	AES-COBRA
AES-COPA	AES-CPFB	AES-JAMBU	AES-OTR	AEZ
Artemia	Ascon	AVALANCHE	Calico	CBA
CBEAM	CLOC	Deoxys	ELmD	Enchilada
FASER	HKC	HS1-SIV	ICEPOLE	iFeed[AES]
Joltik	Julius	Ketje	Keyak	KIASU
LAC	Marble	McMambo	Minalpher	MORUS
NORX	OCB	OMD	PAEQ	PAES
PANDA	Π-Cipher	POET	POLAWIS	PRIMATEs
Prøst	Raviyoyla	Sablier	SCREAM	SHELL
SILC	Silver	STRIBOB	Tiaoxin	TriviA-ck
Wheesht	YAES

ACORN	++AE	AEGIS	AES-CMCC	AES-COBRA
AES-COPA	AES-CPFB	AES-JAMBU	AES-OTR	AEZ
Artemia	Ascon	AVALANCHE	Calico	CBA
CBEAM	CLOC	Deoxys	ELmD	Enchilada
FASER	HKC	HS1-SIV	ICEPOLE	iFeed[AES]
Joltik	Julius	Ketje	Keyak	KIASU
LAC	Marble	McMambo	Minalpher	MORUS
NORX	OCB	OMD	PAEQ	PAES
PANDA	Π-Cipher	POET		PRIMATEs
Prøst	Raviyoyla	Sablier	SCREAM	SHELL
SILC	Silver	STRIBOB	Tiaoxin	TriviA-ck
Wheesht	YAES

High security

High speed (in SW and HW)

Simplicity (of specs and code)

Online / one-pass

Scalability (parallelism, unrolling)

Key agility (no "key schedule")

Side-channel leaks robustness (esp. timings)

Word size	Rounds
W ∈ {32, 64}	1 ≤ R ≤ 63
Parallelism	Tag size
0 ≤ D ≤ 255	|A| ≤ 10W

NORX[W-R-D]	Nonce (2W)	Key (4W)	Tag (4W)
NORX32-4-1	64	128	128
NORX32-6-1	64	128	128
NORX64-4-1	128	256	256
NORX64-6-1	128	256	256
NORX64-4-4	128	256	256

R=6: higher security margin
D=4: high throughput on parallel architectures

"Monkey duplex" construction, from Keccak/SHA3

Process header, payload, and trailer data in one pass

Data expansion via multirate padding: 10*1

16 W-bit words S = (s0,...,s15)

Rate (data) words and capacity (security) words:



State properties, in bits:

W	Size	Rate	Capacity
32	512	320	192
64	1024	640	384

Load nonce, key and constants into S:

Parameter integration (v2):

Apply R-round permutation: S = FR(S)

Integrate domain separation constant:

Apply round permutation: S = FR(S)

Absorb data:

Integrate domain separation constant:

Apply round permutation: S = FR(S)

Absorb data:

Set new ciphertext block: c = (z0,...,z9)

Integrate domain separation constant:

Apply round permutation twice:

Set tag: t = (s0,s1,s2,s3)

F^R = R iterations of the permutation F

F runs G on state's columns, then diagonals

1.	a = H(a,b)	5.	a = H(a,b)
2.	d = ROTR(a^d,R0)	6.	d = ROTR(a^d,R2)
3.	c = H(c,d)	7.	c = H(c,d)
4.	b = ROTR(b^c,R1)	8.	b = ROTR(b^c,R3)

• H(x,y) = (x^y)^((x&y)<<1)
• ROTR(x,r) = (x>>>r)
• (R0,R1,R2,R3) =
  • (8,11,16,31) for W=32-bit words
  • (8,19,40,63) for W=64-bit words

Inspired from BLAKE(2)/ChaCha

H is almost integer addition: + is replaced by ^ in

Only bit-wise ops, no carries; no S-boxes

Only constant-time operations

Hardware friendly: horizontal and vertical folding

Software friendly: direct use of SIMD instructions

Differential characteristics bounds:

• 1 round: 2^-64 (32-bit), 2^-53 (64-bit)
• 4-rounds: 2^-584 (32-bit), 2^-836 (64-bit)

Initialisation has ≥ 8 rounds

Framework using constraint-solving tools: NODE

Improvement of the SpongeWrap bound:
from min{2^c/2, 2^k} to min{2^b/2, 2^c, 2^k}
with a proof focused on NORX' mode
Application to NORX instances:

• 32-bit: min{2^512/2, 2¹⁹², 2¹²⁸} = 2¹²⁸
• 64-bit: min{2^1024/2, 2³⁸⁴, 2²⁵⁶} = 2²⁵⁶

NORX among the fastest CAESAR candidates

Fastest sponge-based scheme

Reference code has competitive speed, too

At least developer-friendly (from norx.io)

Designed by students from ETH Zürich
(supervised by F. Gürkaynak)

180nm UMC @125MHz, area ≈ 59kGE

NORX64-4-1 throughput: ≈ 10Gbps

TRUDEVICE 2015

Similar to original versions, adapted rotate counts

80- & 96-bit security, respectively, due to

• State of 128=40+88 and 256=128+128
• "Usage exponent" of 24 and 32

ASIC area lower bounds: 1400 and 2800 GE

Crypto competition 2014–2017

About authenticated encryption

57 submissions received

2nd-round candidates announced tomorrow
(may be postponed)

http://competitions.cr.yp.to/
https://aezoo.compute.dtu.dk
http://www1.spms.ntu.edu.sg/~syllab/speed

PS: Another competition https://password-hashing.net

CAESAR candidate (one of the unbroken ones)

Innovative not-ARX core and parallelisable mode

Minimizes side-channel leaks (timing, padding)

No dependency on AES instructions/accelerators

Straightforward to implement, very fast in SW / HW

https://norx.io/

Code available in C, C++, Go, Python, Rust

No patents, free for everyone, ref code under CC0