Schedule 31. Chaos Communication Congress

CAESAR is the Competition for Authenticated Encryption: Security, Applicapility, and
Robustness, and the latest crypto contest after AES, eSTREAM, SHA-3, and PHC. CAESAR aims to identify a portfolio of authenticated encryption (AE) schemes with support for associated data (AD). Compared to ciphers like AES-CBC or Salsa20, protects not only confidentiality, but also authenticity and integrity of the processed data. Before we give an introduction to CAESAR, we present the motivations behind the competition, like the importance to protect in-transit data, a lack of reliable AE(AD) standards or the repeated crypto failures in recent history that led, for example, to the cracking of WEP (aircrackng), and to attacks on (D)TLS, like BEAST and Lucky13.

In the second part, we talk about NORX, our CAESAR candidate: NORX is a user-oriented cipher, engineered to take advantage of modern CPUs and to scale to different levels of parallelism. NORX relies on trusted building blocks, adapted to meet our design goals:

• the sponge construction (as used in Keccak/SHA-3) is tuned to provide parallel processing


• the core of NORX is inspired by the ciphers Salsa20 and ChaCha (by DJB), and the hash function BLAKE(2) (by Aumasson et al.)

We explain how we selected NORX's operations and parameters to achieve maximized security and efficiency in both soft- and hardware. We also report on detailed benchmark results showing that NORX is among the fastest CAESAR candidates on various platforms, from ARM and x86 to ASICs. For example, on Intel's Haswell microarchitecture, NORX achieves 2.51 cycles per byte (more than 1 gigabyte per second), exploiting local parallelism provided by AVX2 instructions.