Comments on NIST accordion proposal
71 views
Skip to first unread message
John Preuß Mattsson
Aug 6, 2025, 4:42:44 AMAug 6
to ciphermodes-forum
Hi,
Here are the comments Ericsson submitted on NIST's accordion proposal
- We appreciate that NIST is proposing concrete solutions by suggesting HCTR2 as a foundation. We think Acc128, Acc256, and BBBAcc, based on HCTR2, provide a strong starting point if one limits oneself to block-cipher modes. However, it's difficult to assess whether all three are necessary, or whether they are sufficient, until their security, complexity, limits, and performance characteristics are better understood.
- Given an approved 256-bit block cipher, Acc256 is the easiest to analyze with its excellent security, low complexity, and good limits. If development of an accordion is higher priority than the standardization of a wide block cipher, we think an accordion based on Keccak, preferable with twelve rounds, is the most straightforward solution.
- While many current NIST specifications for encryption and PRFs should have stricter limits, we strongly question the stated limits 2^41 blocks for Acc128 and 2^57 blocks for BBBAcc, which seem too strict. NIST has not given any motivation for the limits.
- We recommend that NIST provide updated guidance on the overall goals, updated guidance on the requirements, and to clarify how it intends to modify HCTR2 in the
design of BBBAcc.
John Preuß Mattsson,
Expert Cryptographic Algorithms and Security Protocols, Ericsson
Here are the comments Ericsson submitted on NIST's accordion proposal
- Given an approved 256-bit block cipher, Acc256 is the easiest to analyze with its excellent security, low complexity, and good limits. If development of an accordion is higher priority than the standardization of a wide block cipher, we think an accordion based on Keccak, preferable with twelve rounds, is the most straightforward solution.
- While many current NIST specifications for encryption and PRFs should have stricter limits, we strongly question the stated limits 2^41 blocks for Acc128 and 2^57 blocks for BBBAcc, which seem too strict. NIST has not given any motivation for the limits.
- We recommend that NIST provide updated guidance on the overall goals, updated guidance on the requirements, and to clarify how it intends to modify HCTR2 in the
design of BBBAcc.
- Academic research into the multi-key security of HCTR2 would be highly valuable.
Cheers,John Preuß Mattsson,
Expert Cryptographic Algorithms and Security Protocols, Ericsson
Reply all
Reply to author
Forward
0 new messages