Friday, January 9, 2015

Real World Crypto 2015: CAESAR came, you see, but who will win?

Cryptographers are humans, and humans are competitive, which might explain the popularity of cryptographic competition. The most visible competition running at this point in time is CAESAR, which hopes to recommend a (portfolio of) authenticated encryption. Elena Andreeva gave a wonderful talk giving a very brief overview of modern thinking regarding what security and functionality to aim for; and how different schemes try to achieve it.

The traditional lesson that encryption should be probabilistic to be secure, has been replaced by a nonce-based view, with further granularity depending on the security when nonces are somehow reused. Even prior to CAESAR there were an increasing number of dedicated, nonce-based schemes suggested, several of which were entered into the CAESAR competition. Taking into account nonces also changes how one would go about using a MAC to add authenticity to a mode-of-operation such as CBC. This problem, known as generic composition, has recently been revisited by Namprempre, Rogaway, and Shrimpton.

There has also been increased interest in the security ramifications of using online encryption and decryption. For efficiency purposes (e.g. to enable a single pass over the data), it can be beneficial to output plaintext as part of the decryption process before the ciphertext has been verified. At last year's Asiacrypt, Elena and her coauthors established a framework to capture the release of unverified plaintext (RUP). Only a handful of CAESAR candidates achieves this security notion.

Finally, Elena went into more detail of the current state of play of the CAESAR competition. Given the large number of candidates (57) and the large number of criteria based on which one can classify an authenticated encryption scheme, the information provided by the CAESAR zoo can be hard to interpret. Luckily for us, Elena has created a wonderful, interactive visualization tool to zoom in on whichever property takes our current fancy (for instance, geographical spread of submissions). The tool is available from her home page so have a go at it yourself!

The first round of CAESAR is drawing to a close and it is expected that next month DJB (J for Julius?) will announce which candidates the CAESAR committee has progressed to round 2. Eventually the winner or winners will be crowned in another two years' time. After her presentation, there was a question from the audience whether this winner will be fast tracked into the TLS standard.

No comments:

Post a Comment