June 20, 2024
Guy B. - NCSC
The National Cyber Security Centre (NCSC) is the UK National Technical Authority on cryptography. In this talk we will review some desirable security goals proposed by NIST, by us, and by the community. We observe that it seems challenging to satisfy all of these requirements with a single mode. For example, a mode designed to work with AES cannot demonstrate context commitment with a security proof in the standard model. And yet making an ideal cipher assumption on AES is problematic: AES admits related-key attacks, and proofs that rely on an ideal cipher assumption may not apply to quantum adversaries. As another trade-off, a mode of AES that has multi-user security and permissive per-user usage limits will likely require beyond-birthday security. The most obvious way to achieve this is with nonce-based key derivation, which results in poor performance on short messages. A permutation-based mode, or a mode designed for use with a 256-bit block cipher, would not encounter these issues, but would not meet the requirement to support AES.
Workshop on the Requirements for an Accordion Cipher Mode 2024