End of Phase 1
At the end of Phase 1, we announced an initial classification of algorithms. This allocation, including the list of "Focus Ciphers", will be updated periodically. We anticipate making a second classification towards the end of 2006.
For Profile 1 (SW), this selection is as follows:
For Profile 2 (HW), this selection is as follows:
What do the categories stand for?
- Focus Phase 2: These are designs that eSTREAM finds of particular interest. We particularly encourage more cryptanalysis and performance evaluation on these primitives.
- Phase 2: These are other designs that eSTREAM wishes to move to the second phase of the eSTREAM project.
- Archived: These are designs which eSTREAM will no longer actively consider for the final portfolio. Perhaps the design strategy or available documentation is flawed, or the proposal might not offer any particular advantages when compared to AES.
How was the selection made?eSTREAM assembled a panel of experts to consider the information to hand. The panel consisted of Steve Babbage (Vodafone, UK), Anne Canteaut (INRIA, France ), Carlos Cid (Royal Holloway, University of London, UK), Nicolas Courtois (Axalto Smart Cards Crypto Research, France), Henri Gilbert (France Telecom R&D, France), Thomas Johansson (Lund University, Sweden), Joseph Lano (Katholieke Universiteit Leuven, Belgium), Christof Paar (Ruhr-University of Bochum, Germany), Matthew Parker (University of Bergen, Norway), Bart Preneel (Katholieke Universiteit Leuven, Belgium), Vincent Rijmen (Graz University of Technology, Austria) and Matt Robshaw (France Telecom R&D, France).
The panel studied all information available on these primitives -
including the original description, cryptanalysis, performance,
responses by authors to analysis, tweaks, forum discussions - and
decided upon the division of the primitives within the three
Panel members who were the designers of a specific proposal were not involved in the classification of that proposal.
The selection has been made on the basis of the properties required in the original Call for Primitives. The following may also help to better understand the selection of the algorithms:
- Within eSTREAM we have not ruled out submissions covered by IP. However, given the very limited cryptanalytic time, it was felt that community at large might be better served if some attention were focused on ciphers that, at least as the designers are concerned, appear to be unencumbered. For now, we decided not to put submissions covered by IP as Focus Ciphers.
- We have received some very late tweaks to ciphers that would otherwise have been archived. To give the community the opportunity to consider this new information the ciphers have been retained at this classification.
- We believe that the number of ciphers in Phase 2 from Profile II (HW) results from the partial information we currently have to hand for hardware performance. We anticipate that this will change in the coming months. For Profile I (SW) the performance issue was much clearer thanks to the eSTREAM testing framework . Software stream ciphers offering no significant performance advantages over the AES have been archived.
- Only one more round of major algorithm tweaking was accepted. The deadline for any final tweaks was June 30, 2006. From then on, and for the remainder of the project, cryptanalysis requires algorithm stability. Authors sent the documentation, source code and test vectors of their tweaked algorithm to eSTREAM at firstname.lastname@example.org. eSTREAM now provides Phase 2 homepages for these ciphers, and has archived the old Phase 1 description. All candidates selected as "focus phase 2" ciphers entered a (possibly tweaked) design into phase 2. The same holds for the "phase 2" ciphers, with the exception of Sfinks and Yamb.
- While there have been comments that 80-bit security is not sufficient for the future security of Profile II, eSTREAM still sees value in this key length. Furthermore, since this was the initial target key-length we will continue to use it as a benchmark for comparison. However, if they wish, designers might like to demonstrate flexibility of their cipher design by proposing variants that take 128-bit keys as well.