JP: Fighting Snake-Oil and Analysing Security v Performance - Analysed, Attacked, Wounded and Broken

I try to always have a research paper which I read (which I define as my “45 bus into work paper”), and try and make sense of. I normally give it around a week’s reading time and make notes on my iPad. A major challenge is always to try and understand the method in a way that other could understand. And so my favouriate research paper of the year has just been posted on IACR [here]:

The paper has a sole author of Jean-Philippe (JP) Aumasson and who works at Teserakt AG, Switzerland. Overall it is a highly readable paper, and provides a great background on the tension between security and performance. In the NIST scoring systems, for example, for SHA-3 and AES, the scorecard tried to balance security and performance, but in a world of IoT, would it be better reducing the security levels, in order to support less power drain, or faster computations on limited capacity devices?

On the way to the NIST standardization process, researchers have the chance to compromise the ciphers, so the authors of the methods tended towards the side of making them as secure as possible. Thus 256-bit AES…