1 / 21

AEGIS A Fast Authenticated Encryption Algorithm

AEGIS A Fast Authenticated Encryption Algorithm. Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds. SAC 2013 . Outline. Authenticated Encryption (AE) design rationale security performance. 2. Authenticated Encryption (AE).

zaria
Download Presentation

AEGIS A Fast Authenticated Encryption Algorithm

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds SAC 2013

  2. Outline Authenticated Encryption (AE) design rationale security performance 2

  3. Authenticated Encryption (AE) Unforgeable Encryption [Katz-Yung’00] Authenticated Encryption - Generic composition for probabilistic encryption [Bellare-Namprempre’00] Encrypt-then-MAC (IPsec) MAC-then-Encrypt (TLS) Encrypt-and-MAC Note: nonce-based Authenticated Encryption seems more relevant [Rogaway’13] 3

  4. AE: composition Encryption block cipher in CBC, CFB modes nonce reuse: suboptimal but mostly ok in practice synchronous stream cipher + block cipher in OFB/CTR performance may be better highly insecure with nonce reuse Message Authentication Code MAC without nonce: robust HMAC, CMAC, EMAC, Pelican MAC, PMAC … MAC with nonce: highly insecure if none reuse UMAC, GMAC, (VMAC, Poly1305-AES) 4

  5. AE: building blocks (Tweakable) block cipher Synchronous stream cipher with IV Pseudo-Random Function (PRF) Permutation AES round function reduction proof 5

  6. AE: properties Associated data Parallelizable Online for encryption Security reduction Resistance to nonce reuse Incremental tags Flexible implementation sizes Performance: speed/size Secure implementations: constant time/… 6

  7. AE: block cipher based

  8. Authenticated Encryption: speed • Fastest software designs exploit AES new instruction set (AES-NI) on recent Intel CPUs • Westmere (2010) • 6 cycles/AES round function, 3-stage pipeline • 2 cycles/AES round (fully used pipeline) • Sandy Bridge/Ivy Bridge (2011) • 8 cycles/AES round function, 8-stage pipeline • 1 cycle/AES round (fully used pipeline) • Haswell (2013) latest numbers [Gueron’13] AES-GCM 1.03 cycles/byte AES-OCB 0.69 cycles/byte

  9. Authenticated Encryption Better designs? hardware: high end and lightweight software: high end and embedded CAESAR http://competitions.cr.yp.to/caesar.html Competition for Authenticated Encryption: Security, Applicability, and Robustness 2014 – 2017 submission deadline: Jan 15 2014 9

  10. AEGIS Design Goal • Ultra fast nonce-based AE for network communication • reducing packet delay due to authentication/encryption on a busy server • for high speed TLS, IPsec, VPN, SSH • try to make optimal use of AES-NI

  11. AEGIS: properties Associated data Parallelizable: locally Online for encryption No security reductionbut easy to analyze Not resistant to nonce reuse No incremental tags Flexible implementation sizes: 128/256 Performance: speed/size Secure implementations: constant time/… 11

  12. Design Rationale (1) 0 K AES(10R) AES(4R) x2 AES(4R) x1 K AES(10R) 12 • Inspiration Pelican MAC • [Daemen-Rijmen’05] • 128-bit secret state • easy to analyze • secure up to birthday bound • 2.5 times faster than AES

  13. Design Rationale (2) K IV S0 S1 S2 S3 S4 xi K IV x1 AEGIS (10R) AEGIS (1R) AES(1R) AES(1R) AES(1R) AES(1R) AES(1R) x2 AEGIS (1R) length AEGIS (7R) tag • larger state: 5 x 128 bits • but simpler operation: 1 AES round • still easy to analyze • create stream cipher from MAC

  14. Security claims • Requirements for implementation • each key and nonce pair can be used only once • if verification fails, the decrypted message and wrong message authentication tag should not be given as output • Forgery attack: success prob. 2-t with t the tag size • Key and state cannot be recovered faster than brute force if forgery attack is not successful • 128-bit tags strongly recommended

  15. Security analysis of AE • Authentication • Encryption • Does authentication affect encryption? • short tag  easy forgery, and results in chosen ciphertext attack against encryption • Does encryption weaken authentication? • ciphertext leaks state information, which may benefit a forgery attack • such as partial state value, state collision

  16. Security • Authentication • a difference in ciphertext passes through at least 5 AES rounds • stronger than Pelican MAC (4 AES rounds) • Encryption • AEGIS encryption is a stream cipher with nonlinearstate update function • differential and linear analysis is precluded

  17. Security: does authentication affect encryption? • AEGIS without MAC is vulnerable to a chosen ciphertext attack • To preclude chosen ciphertext attack 1) if tag verification fails, the decrypted plaintext should not be given as output 2) the tag size should be sufficiently large to resist a chosen-ciphertext attack (128-bit tag recommended)

  18. Security: does encryption weaken authentication? • At each step, AEGIS leaks 128-bit keystream, i.e., 128-bit state information • The overall differential probability of the forgery attack against AEGIS increases • But the differential probability that a difference propagates through 5 AES rounds is not affected • reason: at each step, the information leaked on Si,j is of the form:

  19. Intel Sandy Bridge Core-i5 Performance: 0.66 cycles/byte

  20. Performance Intel Sandy Bridge Core-i5 Fastest AE

  21. Conclusion: AEGIS • Simple design • AEG-128 (this talk) and AEGIS-256 • Ultra fast for protecting network packets • targeting platform with AES-NI • on platforms without AES-NI, AEGIS is faster than AES (factor 1.25-2) • Strong security

More Related