AEGIS
A Fast Authenticated
Encryption Algorithm
Hongjun Wu
Bart Preneel
Nanyang Technological University
KU Leuven and iMinds
SAC 2013
1``
````
````
````
````
````
````
````
````
````
``
Outline
Authenticated Encryption (AE)
 design rationale
 security
 performance

2
Authenticated Encryption (AE)


Unforgeable Encryption [Katz-Yung’00]
Authenticated Encryption - Generic composition
for probabilistic encryption [Bellare-Namprempre’00]
 Encrypt-then-MAC
(IPsec)
 MAC-then-Encrypt (TLS)
 Encrypt-and-MAC

Note: nonce-based Authenticated Encryption
seems more relevant [Rogaway’13]
3
AE: composition

Encryption
 block cipher in CBC, CFB modes
 nonce reuse: suboptimal but mostly ok in practice
 synchronous stream cipher + block
 performance may be better
 highly insecure with nonce reuse

cipher in OFB/CTR
Message Authentication Code
 MAC without nonce: robust
 HMAC, CMAC, EMAC, Pelican MAC, PMAC …
 MAC with nonce: highly insecure if none
 UMAC, GMAC, (VMAC, Poly1305-AES)
reuse
4
AE: building blocks
 (Tweakable) block cipher

Synchronous stream cipher with IV
Pseudo-Random Function (PRF)
Permutation

AES round function


reduction
proof
5
AE: properties









Associated data
Parallelizable
Online for encryption
Security reduction
Resistance to nonce reuse
Incremental tags
Flexible implementation sizes
Performance: speed/size
Secure implementations: constant time/…
6
AE: block cipher based
# passes
//
Online
(encr)
Nonce
Misue
IAPM
1



XECB
1



OCB
1



CCM
2
GCM
1*


EAX
2
CWC
2
SIV
2
BTM
1
McOE-G
1*








Patented
Authenticated Encryption: speed

Fastest software designs exploit AES new
instruction set (AES-NI) on recent Intel CPUs

Westmere (2010)


Sandy Bridge/Ivy Bridge (2011)


6 cycles/AES round function, 3-stage pipeline
 2 cycles/AES round (fully used pipeline)
8 cycles/AES round function, 8-stage pipeline
 1 cycle/AES round (fully used pipeline)
Haswell (2013)
latest numbers [Gueron’13]
AES-GCM 1.03 cycles/byte
AES-OCB 0.69 cycles/byte
8
Authenticated Encryption

Better designs?
 hardware:
high end and lightweight
 software: high end and embedded

CAESAR http://competitions.cr.yp.to/caesar.html
 Competition
for Authenticated Encryption:
Security, Applicability, and Robustness
 2014 – 2017
 submission deadline: Jan 15 2014
9
AEGIS Design Goal

Ultra fast nonce-based AE for network
communication
 reducing
packet delay due to
authentication/encryption on a busy server
 for high speed TLS, IPsec, VPN, SSH
 try to make optimal use of AES-NI
10
AEGIS: properties









Associated data
Parallelizable: locally
Online for encryption
No security reduction but easy to analyze
Not resistant to nonce reuse
No incremental tags
Flexible implementation sizes: 128/256
Performance: speed/size
Secure implementations: constant time/…
11
0
Design Rationale (1)
K

(10R)
Inspiration Pelican MAC
 [Daemen-Rijmen’05]
x1
 128-bit
secret state
 easy to analyze
 secure up to birthday bound
 2.5 times faster than AES
AES
AES
(4R)
x2
AES
(4R)
K
AES
(10R)
12
Design Rationale (2)
S1
S0
xi
AES(1R)
S2
AES(1R)
S3
AES(1R)
K IV
S4
AES(1R)
AES(1R)
K IV
AEGIS
(10R)
x1
AEGIS
(1R)
x2
AEGIS
(1R)




larger state: 5 x 128 bits
but simpler operation: 1 AES round
still easy to analyze
create stream cipher from MAC
length
AEGIS
(7R)
tag
Security claims

Requirements for implementation
 each key and nonce pair can be used only once



if verification fails, the decrypted message and wrong
message authentication tag should not be given as output
Forgery attack: success prob. 2-t with t the tag size
Key and state cannot be recovered faster than brute
force if forgery attack is not successful
 128-bit
tags strongly recommended
14
Security analysis of AE
Authentication
 Encryption
 Does authentication affect encryption?

tag  easy forgery, and results in chosen
ciphertext attack against encryption
 short

Does encryption weaken authentication?
 ciphertext
leaks state information, which may
benefit a forgery attack

such as partial state value, state collision
15
Security

Authentication
a
difference in ciphertext passes through at
least 5 AES rounds


stronger than Pelican MAC (4 AES rounds)
Encryption

AEGIS encryption is a stream cipher with
nonlinear state update function

differential and linear analysis is precluded
16
Security: does authentication affect
encryption?


AEGIS without MAC is vulnerable to a chosen
ciphertext attack
To preclude chosen ciphertext attack
1) if tag verification fails, the decrypted plaintext should
not be given as output
2) the tag size should be sufficiently large to resist a
chosen-ciphertext attack
(128-bit tag recommended)
17
Security: does encryption weaken
authentication?



At each step, AEGIS leaks 128-bit keystream, i.e.,
128-bit state information
The overall differential probability of the forgery
attack against AEGIS increases
But the differential probability that a difference
propagates through 5 AES rounds is not affected
 reason:
at each step, the information leaked on Si,j is of
the form:
Si ,1  (Si , 2 & Si ,3 )  Si , 4
18
Performance: 0.66 cycles/byte
10
K
40
96
10
24
51
2
25
6B
CTR
CCM
GCM
OCB3
ALE
ASC-1
AEGIS-128
AEGIS-256
12
8B
64
B
9
8
7
6
5
4
3
2
1
0
Intel Sandy
Bridge Core-i5
Performance
Intel Sandy Bridge Core-i5
Fastest AE
20
Conclusion: AEGIS

Simple design
 AEG-128

(this talk) and AEGIS-256
Ultra fast for protecting network packets

targeting platform with AES-NI
 on platforms without AES-NI, AEGIS is faster
than AES (factor 1.25-2)

Strong security
21