8

At the beginning of this year, the CAESAR competition published the final portfolio for authenticated encryption algorithms.

I'm not a cryptographer and when I look at other applications, almost always AES-GCM or ChaCha20-Poly1305 is used for authenticated encryption.

So, I wonder why that is. Are the new CAESAR algorithms too new, or are there not enough implementations in the different programming languages? Other reasons?

As a programmer: When I design a new system today, should I consider the new CAESAR algorithms? Are there technical advantages/disadvantages?

Also, I heard of the Lightweight Cryptography project organized by NIST. Is not this competition redundant given the category 1: Lightweight applications (resource constrained environments) in the CAESAR competition?

Aliquis
  • 593
  • 1
  • 4
  • 8

1 Answers1

8

The CAESAR competition took way too long, didn't go as well as expected, and other interesting constructions that would have been worth considering were designed after it started.

Some of these (AES-GCM-SIV) got standardized before the competition was over, and may get more adoption than CAESAR candidates.

The goal of CAESAR wasn't clearly defined. We didn't end up with AES alternatives. If only because AES is well-supported in hardware and has no sign of being broken anytime soon.

I'm not convinced of the practical outcome of the NIST LWCC competition either. AES is here to stay.

To get back to CAESAR, some finalists are interesting.

In particular, AEGIS doesn't change the AES core function, but builds a very fast (faster than AES-GCM) and simple construction taking advantage of the parallelism of some CPUs.

AEGIS-256 has been implemented in libsodium. So, it may get some adoption for applications where speed is the primary concern.

Frank Denis
  • 3,073
  • 19
  • 19