Cryptographic competitions

Secret-key cryptography
Focused competitions:
Broader evaluations:
CAESAR details:
Call for submissions
Call draft 5
Call draft 4
Call draft 3
Call draft 2
Call draft 1
Frequently asked questions


The trust that users place in secret-key cryptography has been repeatedly and flagrantly violated. Consider the following recent and ongoing examples:

  • 2009 Albrecht–Paterson–Watson introduced an attack that, with probability 2^(-18), verifiably recovers 32 bits of OpenSSH-encrypted plaintext at an attacker-selected position. The underlying problem is a flaw in the interaction between the secret-key encryption and secret-key authentication mechanisms used by OpenSSH.
  • 2011 Duong–Rizzo demonstrated two-minute recovery of TLS-encrypted cookies, specifically cookies enabling access to a PayPal user account. The core problem, another flaw in the interaction between encryption and authentication, had been pointed out years earlier by Dai, by 2004 Moeller, and by 2006 Bard, and was fixed in TLS 1.1; but almost all HTTPS sites continue to use TLS 1.0.
  • 2011 AlFardan–Paterson introduced an efficient attack that recovers full plaintext from the OpenSSL implementation of DTLS, and about 4% of the plaintext from the GnuTLS implementation of DTLS. This attack exploits not only details of the encryption and authentication but also timing information. An emergency OpenSSL upgrade on 4 January 2012 introduced a workaround for this attack; another emergency OpenSSL upgrade on 18 January 2012 fixed a denial-of-service problem that had been introduced by the workaround.
  • 2012 Minematsu–Morita–Iwata announced a fast forgery attack against EAXprime, an authenticated-encryption block-cipher mode standardized by ANSI C12.22-2008 for the "Smart Grid" and announced as the subject of a forthcoming NIST standard. "Block-cipher mode" means that EAXprime converts any block cipher, for example AES, into an authenticated cipher; the attack works independently of the choice of cipher.
  • 2008 Eisenbarth–Kasper–Moradi–Paar–Salmasizadeh–Shalmani extracted master keys from the popular Keeloq RFID devices, allowing them to surreptitiously observe keys from dozens of yards away and almost instantly build clones of those keys. Previous work had already shown that the Keeloq cipher provided less security than suggested by its 64-bit key size; the master-key computation by Eisenbarth et al. also exploited side-channel information leaked by the Keeloq devices.
  • A large fraction of existing 802.11 networks around the world continue to use WEP and are easily broken by the popular aircrack tool. This tool (2007 Tews–Weinmann–Pyshkin, building on previous work by Devine et al.) exploits various weaknesses in the underlying cipher, RC4, and after a few minutes prints out the "secret" WEP key.

Less obvious, but even more pervasive, is an even more extreme type of disaster, in which the attacker does not need to break an authenticated cipher because the application is failing to use an authenticated cipher. Consider the following examples:

  • IPsec continues to allow unauthenticated encryption as a standard option, even though this option has been thoroughly broken. See 1996 Bellovin, 2006 Paterson–Yau, and 2007 Degabriele–Paterson; for more context see 2010 Degabriele–Paterson. Users seem to understand that unauthenticated encryption allows the attacker to forge random messages, but seem surprised when it allows the attacker to forge selected messages or to decrypt ciphertext.
  • VMWare View is a remote desktop protocol supported by low-cost terminals from various manufacturers. Documentation from VMWare (2010), Dell (2009), etc. recommends switching from "AES-128" to "SALSA20-256" for the "best user experience"; apparently the AES-128 implementations cannot keep up with network graphics faster than about 5Mbps, while Salsa20 is considerably more efficient. Unfortunately, a closer look at the documentation indicates that "AES-128" is actually "AES-128-GCM" while "SALSA20-256" is actually "Salsa20-256-Round12". AES-128-GCM includes authentication, but 12-round Salsa20 does not. Salsa20 can be combined with authentication, of course, but there is no indication that VMWare's "Salsa20-256-Round12" includes any authentication.
  • There is an extensive, and apparently never-ending, literature on "lightweight identification protocols" such as HB, HB+, HB++, HB-MP, HB*, Trusted-HB, and HBsharp. Each of these protocols was broken within one year of being proposed. Note that any authenticated cipher can trivially be used for identification: the challenger sends a random message; the prover sends back the same message, authenticated.

It is easy to blame many of these security problems on a lack of user education, where in this case the users are the software and hardware engineers choosing cryptographic primitives to apply. The AES block cipher was standardized more than a decade ago and apparently has none of the weaknesses of RC4, Keeloq, etc.; there is an extensive literature explaining how to use AES to encrypt and authenticate messages of any length (for example, with AES-OCB3); many of these explanations are backed by proofs of security, assuming nothing more than the security of AES; and there is an extensive literature on defenses against timing attacks and other side-channel attacks.

However, in many cases there is a tension between security and the performance requirements of the applications. For example, RC4 became popular precisely because it offers high speed in software: AES needs more than 10 cycles per byte on most CPUs, while RC4 typically runs in fewer than 6. HB was introduced, and remains widely studied, precisely because it can fit into very small hardware, under 1000 gates. Software side-channel defenses impose a noticeable cost, and hardware side-channel defenses impose a much larger cost.

Version: This is version 2014.01.27 of the disasters.html web page.