Cryptographic competitions |
|
CAESAR call for submissions, draft 4 (2013.11.23)This document is draft 4 of a call for CAESAR public submissions. Please check http://competitions.cr.yp.to for newer drafts. CallCAESAR (Competition for Authenticated Encryption: Security, Applicability, and Robustness) will identify a portfolio of authenticated ciphers that (1) offer advantages over AES-GCM and (2) are suitable for widespread adoption. Cryptographic algorithm designers are invited to submit proposals of authenticated ciphers to CAESAR. All proposals will be made public for evaluation. DeadlinesFirst-round submission PDF files must be received by caesar-submissions at competitions.cr.yp.to between 2014.01.01 and 2014.01.15 23:59 GMT. This email must have subject line precisely round 1 submission: NAME where NAME is replaced by the cipher name. After 2014.01.15 the CAESAR secretary will publish all first-round submissions received, except that the CAESAR secretary may exclude submissions that do not meet requirements stated in this call. Reference software implementations must be received by caesar-submissions at competitions.cr.yp.to between 2014.01.01 and 2014.02.15 23:59 GMT. This email must have subject line precisely round 1 software: NAME where NAME is replaced by the cipher name. The CAESAR secretary may eliminate any submission that does not comply with the reference implementation requirements or other requirements stated in this call. Functional requirementsAn authenticated cipher is a function with five byte-string inputs and one byte-string output. The five inputs are a variable-length plaintext, variable-length associated data, a fixed-length secret message number, a fixed-length public message number, and a fixed-length key. The output is a variable-length ciphertext. The first four inputs have different security purposes, as indicated by the following table:
Bytes are integers between 0 and 255 inclusive. Authenticated ciphers defined in terms of objects other than bytes (e.g., 32-bit integers) must specify the relationship between those objects and byte strings (e.g., little-endian encoding of 32-bit integers). A cipher is permitted to specify a maximum plaintext length, but this limit must not be smaller than 65536 bytes. A cipher is permitted to specify a maximum length of associated data, but this limit must not be smaller than 65536 bytes. Ciphers must accept as keys, message numbers, plaintexts, and associated data all byte strings that meet the specified lengths of keys and message numbers and any specified maximum lengths of plaintexts and associated data. Cipher designers are advised that some applications do not break files into separately encrypted packets, and that there is occasional criticism of, e.g., existing ciphers with length limits of 68719476736 bytes; submissions are expected to include justification for any length limits. Ciphers are not required to support secret message numbers: i.e., ciphers may specify the length of the secret message number as 0 bits. Ciphers are not required to support public message numbers: i.e., ciphers may specify the length of the public message number as 0 bits. Ciphers are expected to maintain security no matter how users choose message numbers of the specified lengths: ciphers should not ask users to choose message numbers randomly, or to choose message numbers in sequence, or to follow any other message-number rules. Exception: ciphers are permitted to lose all security if a user reuses a single (secret message number,public message number) pair for two encryptions with the same secret key; but ciphers must document this loss (see "Security goals" below), and ciphers that do not lose security in this way may advertise this as an extra feature. Ciphers are permitted to leak the plaintext length via the ciphertext length, for example by having the ciphertext length be the plaintext length plus a specified constant. The ciphertext length must be determined by the plaintext length; i.e., it must not leak any information other than the plaintext length. Ciphers are permitted to have several plaintext lengths map to the same ciphertext length, but decryption must still recover the plaintext with the correct original length. Designers are advised that minimizing ciphertext length is generally considered more valuable than hiding plaintext length: an application can compensate for public lengths by padding and splitting plaintexts, whereas an application cannot compensate for ciphertext overhead. Designers are advised that many existing applications use 80-bit, 128-bit, or 256-bit keys; 96-bit or 104-bit public message numbers; 0-bit secret message numbers; and 32, 64, 96, 128, or 160 extra bits (used for authentication) in ciphertext compared to plaintext. However, submissions are not required to support these sizes, and are not limited to these sizes. Each submission specifies a family of authenticated ciphers. Family members may vary in external parameters such as key length, and may vary in submission-defined parameters such as the number of "rounds". However, a submission is also permitted to specify a family containing just 1 authenticated cipher. Each submission must include a prioritized list of recommended parameter sets: a primary recommendation, a secondary recommendation, etc. This list is permitted to be as short as 1 recommendation. This list must not be longer than 10 recommendations. Submitters are advised that 10 parameter sets are widely considered to be too many, and that the "Features" section of the submission (see below) is expected to justify each recommendation. Software requirementsEach first-round submission must be accompanied by a portable reference software implementation to support public understanding of the cipher, cryptanalysis, verification of subsequent implementations, etc. This implementation must cover all recommended parameter sets, and must compute exactly the function specified in the submission. This implementation is expected to be optimized for clarity, not for performance; the official CAESAR benchmarks will report the fastest implementation on each platform, and will thus disregard the reference implementation on any platform where it is superseded by faster implementations. A minimal reference implementation of (e.g.) AES-128-GCM consists of two files: crypto_aead/aes128gcm/ref/api.h and crypto_aead/aes128gcm/ref/encrypt.c. There are three levels of directory names:
The file api.h has four lines: #define CRYPTO_KEYBYTES 16 #define CRYPTO_NSECBYTES 0 #define CRYPTO_NPUBBYTES 12 #define CRYPTO_ABYTES 16 This indicates that the AES-128-GCM key has 16 bytes, that the secret message number has 0 bytes, that the public message number has 12 bytes, and that the ciphertext is at most 16 bytes longer than the plaintext. (A typical authenticated cipher has a constant gap between plaintext length and ciphertext length, but the requirement here is to have a constant limit on the gap.) The file encrypt.c has the following structure: #include "crypto_aead.h" int crypto_aead_encrypt( unsigned char *c,unsigned long long *clen, const unsigned char *m,unsigned long long mlen, const unsigned char *ad,unsigned long long adlen, const unsigned char *nsec, const unsigned char *npub, const unsigned char *k ) { ... ... the code for the cipher implementation goes here, ... generating a ciphertext c[0],c[1],...,c[*clen-1] ... from a plaintext m[0],m[1],...,m[mlen-1] ... and associated data ad[0],ad[1],...,ad[adlen-1] ... and secret message number nsec[0],nsec[1],... ... and public message number npub[0],npub[1],... ... and secret key k[0],k[1],... ... return 0; } int crypto_aead_decrypt( unsigned char *m,unsigned long long *mlen, unsigned char *nsec, const unsigned char *c,unsigned long long clen, const unsigned char *ad,unsigned long long adlen, const unsigned char *npub, const unsigned char *k ) { ... ... the code for the cipher implementation goes here, ... generating a plaintext m[0],m[1],...,m[*mlen-1] ... and secret message number nsec[0],nsec[1],... ... from a ciphertext c[0],c[1],...,c[clen-1] ... and associated data ad[0],ad[1],...,ad[adlen-1] ... and public message number npub[0],npub[1],... ... and secret key k[0],k[1],... ... return 0; } The outputs of crypto_aead_encrypt and crypto_aead_decrypt must be determined entirely by the inputs listed above and must not be affected by any randomness or other hidden inputs. The crypto_aead_decrypt function must return -1 if the ciphertext is not valid, i.e., if the ciphertext does not equal the encryption of any (plaintext,secret message number) pair with this associated data, public message number, and secret key. The crypto_aead_encrypt and crypto_aead_decrypt functions may return other negative numbers to indicate other failures (e.g., memory-allocation failures). The file crypto_aead.h is not included in the reference implementation; it is created automatically by the benchmarking framework. A reference implementation can use names other than encrypt.c. It can split its code across several files *.c defining various auxiliary functions; the files will be automatically compiled together. Instead of encrypt.c it can include encrypt.cc or encrypt.cpp in C++. A reference implementation may specify limits on plaintext length and associated-data length, but these limits must not be smaller than 65536 bytes. The reference implementation is packaged into a tarball, such as aes128gcm.tar.gz for AES-128-GCM. Hardware requirementsEach submission selected for the second round will also be required to include a reference hardware design (i.e., a reference implementation in the VHDL or Verilog languages) by 2015.03.15. Details of the hardware API have not yet been specified. Submission requirementsEach submission consists of a single PDF file with the following sections:
Changes from draft 3Narrower window of dates for submissions, with same deadline. Previous window was 2013.12.01 through 2014.01.15 23:59 GMT; new window is 2014.01.01 through 2014.01.15 23:59 GMT. Specify email address receiving submissions. Add paragraphs allowing limits on plaintext length and associated-data length in (1) cipher definitions and (2) reference implementations. However, do not allow limits below 65536 bytes. Change CRYPTO_NPRIVBYTES to CRYPTO_NSECBYTES. Change submission of "public proposals" to submission of "proposals", but emphasize that all proposals will be made public for evaluation. Clarify "requirements stated here" as "requirements stated in this call". Clarify little-endian example. Various minor wording tweaks. Version: This is version 2014.01.27 of the caesar-call-4.html web page. |