8

At the beginning of this year, the CAESAR competition published the final portfolio for authenticated encryption algorithms.

I'm not a cryptographer and when I look at other applications, almost always AES-GCM or ChaCha20-Poly1305 is used for authenticated encryption.

So, I wonder why that is. Are the new CAESAR algorithms too new, or are there not enough implementations in the different programming languages? Other reasons?

As a programmer: When I design a new system today, should I consider the new CAESAR algorithms? Are there technical advantages/disadvantages?

Also, I heard of the Lightweight Cryptography project organized by NIST. Is not this competition redundant given the category 1: Lightweight applications (resource constrained environments) in the CAESAR competition?

Aliquis
  • 573
  • 1
  • 4
  • 7
  • 2
    NIST LWCC ist not redundant because the result will be an "approved" cipher that can be used in certified HW and SW. – SEJPM Oct 25 '19 at 09:20
  • Deoxsys-II has significant advantages if you have AES-NI instructions available, most notably nonce misuse resistance and better authentication security – Richie Frame Oct 25 '19 at 23:43

1 Answers1

8

The CAESAR competition took way too long, didn't go as well as expected, and other interesting constructions that would have been worth considering were designed after it started.

Some of these (AES-GCM-SIV) got standardized before the competition was over, and may get more adoption than CAESAR candidates.

The goal of CAESAR wasn't clearly defined. We didn't end up with AES alternatives. If only because AES is well-supported in hardware and has no sign of being broken anytime soon.

I'm not convinced of the practical outcome of the NIST LWCC competition either. AES is here to stay.

To get back to CAESAR, some finalists are interesting.

In particular, AEGIS doesn't change the AES core function, but builds a very fast (faster than AES-GCM) and simple construction taking advantage of the parallelism of some CPUs.

AEGIS-256 has been implemented in libsodium. So, it may get some adoption for applications where speed is the primary concern.

Frank Denis
  • 2,964
  • 15
  • 17
  • OCB may also be worth a look for these applications (I think it also won + the patents expired?) – SEJPM Oct 25 '19 at 10:59
  • 2
    OCB is covered by at least 4 patents, and I think only 2 of them expired. – Frank Denis Oct 25 '19 at 17:46
  • 2
    As a 2021 update: OCB is now patents-free. Rogaway didn’t renew them and announced that OCB was now public-domain. That being said, it may be a little bit too late, as GCM is the industry standard, and as a fast alternative, AEGIS is significantly faster. – Frank Denis Mar 15 '21 at 13:55
  • Only AEGIS-128 is in the Linux kernel, AEGIS-256 was removed. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=520c1993bbe620e39fd93de1a01b9e0dc0b97aa6 – user643011 Nov 29 '21 at 03:55