AEGIS A Fast Authenticated Encryption Algorithm
description
Transcript of AEGIS A Fast Authenticated Encryption Algorithm
![Page 1: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/1.jpg)
1````````````````````````````````````````
AEGIS A Fast Authenticated Encryption Algorithm
Hongjun Wu Bart Preneel
Nanyang Technological UniversityKU Leuven and iMinds
SAC 2013
![Page 2: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/2.jpg)
2
Outline
Authenticated Encryption (AE) design rationale security performance
![Page 3: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/3.jpg)
3
Authenticated Encryption (AE) Unforgeable Encryption [Katz-Yung’00] Authenticated Encryption - Generic composition
for probabilistic encryption [Bellare-Namprempre’00] Encrypt-then-MAC (IPsec) MAC-then-Encrypt (TLS) Encrypt-and-MAC
Note: nonce-based Authenticated Encryption seems more relevant [Rogaway’13]
![Page 4: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/4.jpg)
4
AE: composition
Encryption block cipher in CBC, CFB modes
nonce reuse: suboptimal but mostly ok in practice synchronous stream cipher + block cipher in OFB/CTR
performance may be better highly insecure with nonce reuse
Message Authentication Code MAC without nonce: robust
HMAC, CMAC, EMAC, Pelican MAC, PMAC … MAC with nonce: highly insecure if none reuse
UMAC, GMAC, (VMAC, Poly1305-AES)
![Page 5: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/5.jpg)
5
AE: building blocks
(Tweakable) block cipher Synchronous stream cipher with IV Pseudo-Random Function (PRF) Permutation
AES round function
reduction proof
![Page 6: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/6.jpg)
6
AE: properties Associated data Parallelizable Online for encryption Security reduction Resistance to nonce reuse Incremental tags
Flexible implementation sizes Performance: speed/size Secure implementations: constant time/…
![Page 7: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/7.jpg)
AE: block cipher based # passes // Online
(encr)Nonce Misue
Patented
IAPM 1
XECB 1
OCB 1
CCM 2
GCM 1*
EAX 2
CWC 2
SIV 2
BTM 1
McOE-G 1*
![Page 8: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/8.jpg)
8
Authenticated Encryption: speed Fastest software designs exploit AES new
instruction set (AES-NI) on recent Intel CPUs Westmere (2010)
6 cycles/AES round function, 3-stage pipeline 2 cycles/AES round (fully used pipeline)
Sandy Bridge/Ivy Bridge (2011) 8 cycles/AES round function, 8-stage pipeline
1 cycle/AES round (fully used pipeline) Haswell (2013)
latest numbers [Gueron’13] AES-GCM 1.03 cycles/byte AES-OCB 0.69 cycles/byte
![Page 9: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/9.jpg)
9
Authenticated Encryption
Better designs?hardware: high end and lightweightsoftware: high end and embedded
CAESAR http://competitions.cr.yp.to/caesar.htmlCompetition for Authenticated Encryption:
Security, Applicability, and Robustness 2014 – 2017 submission deadline: Jan 15 2014
![Page 10: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/10.jpg)
10
AEGIS Design Goal Ultra fast nonce-based AE for network
communication reducing packet delay due to
authentication/encryption on a busy server for high speed TLS, IPsec, VPN, SSH try to make optimal use of AES-NI
![Page 11: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/11.jpg)
11
AEGIS: properties Associated data Parallelizable: locally Online for encryption No security reduction but easy to analyze Not resistant to nonce reuse No incremental tags
Flexible implementation sizes: 128/256 Performance: speed/size Secure implementations: constant time/…
![Page 12: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/12.jpg)
12
Design Rationale (1)
Inspiration Pelican MAC [Daemen-Rijmen’05]128-bit secret stateeasy to analyzesecure up to birthday bound2.5 times faster than AES
AES(10R)
0
K
AES(4R)
x2
AES(4R)
AES(10R)
K
x1
![Page 13: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/13.jpg)
Design Rationale (2)
larger state: 5 x 128 bits but simpler operation: 1 AES round still easy to analyze
AES(1R)
S3
AES(1R)xi
S0
AES(1R)
S1
AES(1R)
S2
AES(1R)
S4
length
AEGIS (10R)
K IV
K IV
AEGIS (1R)
x1
AEGIS (1R)
x2
AEGIS (7R)
tag
create stream cipher from MAC
![Page 14: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/14.jpg)
14
Security claims Requirements for implementation
each key and nonce pair can be used only once if verification fails, the decrypted message and wrong
message authentication tag should not be given as output
Forgery attack: success prob. 2-t with t the tag size Key and state cannot be recovered faster than brute
force if forgery attack is not successful 128-bit tags strongly recommended
![Page 15: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/15.jpg)
15
Security analysis of AE Authentication Encryption Does authentication affect encryption?
short tag easy forgery, and results in chosen ciphertext attack against encryption
Does encryption weaken authentication? ciphertext leaks state information, which may
benefit a forgery attack such as partial state value, state collision
![Page 16: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/16.jpg)
16
Security Authentication
a difference in ciphertext passes through at least 5 AES rounds
stronger than Pelican MAC (4 AES rounds) Encryption
AEGIS encryption is a stream cipher with nonlinear state update function
differential and linear analysis is precluded
![Page 17: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/17.jpg)
17
Security: does authentication affect encryption? AEGIS without MAC is vulnerable to a chosen
ciphertext attack To preclude chosen ciphertext attack
1) if tag verification fails, the decrypted plaintext should not be given as output2) the tag size should be sufficiently large to resist a chosen-ciphertext attack (128-bit tag recommended)
![Page 18: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/18.jpg)
18
Security: does encryption weaken authentication? At each step, AEGIS leaks 128-bit keystream, i.e.,
128-bit state information The overall differential probability of the forgery
attack against AEGIS increases But the differential probability that a difference
propagates through 5 AES rounds is not affected reason: at each step, the information leaked on Si,j is of
the form:
4,3,2,1, )&( iiii SSSS
![Page 19: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/19.jpg)
Performance: 0.66 cycles/byte Intel Sandy Bridge Core-i5
0123456789
64B
128B
256B 51
210
2440
96 10K
CTRCCMGCMOCB3ALEASC-1AEGIS-128AEGIS-256
![Page 20: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/20.jpg)
20
Performance Intel Sandy Bridge Core-i5
Fastest AE
![Page 21: AEGIS A Fast Authenticated Encryption Algorithm](https://reader035.fdocuments.in/reader035/viewer/2022062310/5681692b550346895de06b04/html5/thumbnails/21.jpg)
21
Conclusion: AEGIS
Simple designAEG-128 (this talk) and AEGIS-256
Ultra fast for protecting network packets targeting platform with AES-NI on platforms without AES-NI, AEGIS is faster
than AES (factor 1.25-2) Strong security