aegis
play

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu - PowerPoint PPT Presentation

May 19, 2023 •332 likes •524 views

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds DIAC 2016 AEGIS 1 AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS 2 Different Design

  1. AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds DIAC 2016 AEGIS 1

  2. AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS 2

  3. Different Design Approaches: AES-NI ( AEGIS ) Fast SIMD (MORUS) Mode (JAMBU) Lightweight Dedicated (ACORN) DIAC 2016 AEGIS 3

  4. No tweak for the second and third rounds DIAC 2016 AEGIS 4

  5. AEGIS: Main features • Simple • Fast – AEGIS-128L is 0.25 clock cycles/byte on Intel Skylake (long messages) • Fully use the pipeline of AES-NI • Nonce is used only once DIAC 2016 AEGIS 5

  6. AEGIS • AEGIS-128L – 128-bit key, 1024-bit state • AEGIS-128 – 128-bit key, 640-bit state • AEGIS-256 – 256-bit key, 768-bit state • Tag: 128-bit DIAC 2016 AEGIS 6

  7. AEGIS: Properties • Properties – Parallelizable: locally – No security reduction but easy to analyze – Not resistant to nonce reuse – Performance: size/speed tradeoff DIAC 2016 AEGIS 7

  8. 0 AEGIS K AES (10R) • Design Rationale – Inspiration: Pelican MAC x 1 • [Daemen- Rijmen’05] AES • 128-bit secret state (4R) • easy to analyze x 2 • secure up to birthday bound AES • 2.5 times faster than AES (4R) – Our design: Save the state after K each AES round , then construct AES (10R) stream cipher from MAC 8 DIAC 2016 AEGIS 8

  9. AEGIS • Design Rationale (2) – Parallel AES round functions in each step so as to fill the AES instruction pipeline – AEGIS-128L can make full use of the AES instruction pipeline of Intel Haswell and Skylake processors DIAC 2016 AEGIS 9

  10. AEGIS-128 K IV S 1 S 2 S 3 S 4 S 0 x i K IV AES (1R) AES (1R) AES (1R) AES (1R) AES (1R) AEGIS (10R) x 1 AEGIS (1R) x 2 AEGIS (1R)  larger state: 5 x 128 bits length  but simpler operation: 1 AES round AEGIS  still easy to analyze (7R) DIAC 2016 AEGIS 10 tag

  11. AEGIS: Security • Authentication – a difference in ciphertext passes through at least 4 AES rounds • stronger than Pelican MAC (4 AES rounds) since difference being distributed to at least 4 words • Encryption – AEGIS encryption is a stream cipher with nonlinear state update function • differential and linear analysis is precluded DIAC 2016 AEGIS 11

  12. AEGIS: Security Randomness of keystream • Recent results (Minaud, SAC 2014) – AEGIS-128 • 2 130+ keystream bits for distinguishing – AEGIS-256 • 2 180+ keystream bits for distinguishing DIAC 2016 AEGIS 12

  13. Performance • Speed on Intel Skylake processor Core i5-6600 (Supercop-2016-08-06) No associated data. DIAC 2016 AEGIS 13

  14. Performance • Compare to the performance of Tiaoxin – Tiaoxin extends AEGIS to larger state with more complicated state update function • state size of Tiaoxin: 1664 bits (60% more) • state size of AEGIS-128L: 1024 bits – Larger state size in stream cipher design normally leads to faster speed – Long message (on Skylake, Supercop-2016-08-06) • Tiaoxin: encryption 0.21 cpb; decryption 0.34 cpb • AEGIS-128L: encryption 0.25 cpb; decryption 0.25 cpb – 1536-byte message (on Skylake, Supercop-2016-08-06) • Tiaoxin: encryption 0.36 cpb; decryption 0.48 cpb • AEGIS-128L: encryption 0.34 cpb; decryption 0.37 cpb DIAC 2016 AEGIS 14

  15. Performance • Hardware – FPGA implementation of AEGIS-128L (Tao Huang) • For throughput optimized: 78.3 Gbps, 2424 slices – 65 nm ASIC implementation of AEGIS-128 (Debjyoti Bhattacharjee, Anupam Chattopadhyay, DIAC 2015) • For throughput optimized: 121 Gbps, 173 KGE • For Low area optimized: 1.32 Gbps, 18.72 KGE • We expect that AEGIS-128L is about twice as fast as AEGIS-128 on ASIC, with larger area (60% more) DIAC 2016 AEGIS 15

  16. Discussions • We restrict the disclosure of plaintext when authentication failed. What would happen if the attacker knows the decrypted plaintext when authentication fails ? – For AEGIS, the secret key remains strong, so there is little compromise of encryption security (since the attacker can access the decrypted plaintext, the encryption security of a single message is not a concern here) DIAC 2016 AEGIS 16

  17. Discussions • We restrict the disclosure of plaintext when authentication failed. What would happen if the attacker knows the decrypted plaintext when authentication fails ? – If the communication protocol terminates/restarts when authentication fails, then there is no compromise of authentication security DIAC 2016 AEGIS 17

  18. Conclusions • Simple design • Fast – Software: targeting platforms with AES-NI – Also fast in hardware • Strong in security DIAC 2016 AEGIS 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Science Achievements of the DEEP2 & AEGIS surveys by Koo, Faber, and the DEEP & AEGIS

Science Achievements of the DEEP2 & AEGIS surveys by Koo, Faber, and the DEEP & AEGIS

Science Achievements of the DEEP2 & AEGIS surveys by Koo, Faber, and the DEEP & AEGIS Teams Supported by CARA, UCO/Lick Observatory, the National Science Foundation, and NASA DEEP2 basics Officially finished: 53,000 spectra

505 views • 31 slides
AEGIS Academic and Educational Grid Initiative of Serbia http://www.aegis.rs/ Antun Balaz

AEGIS Academic and Educational Grid Initiative of Serbia http://www.aegis.rs/ Antun Balaz

AEGIS Academic and Educational Grid Initiative of Serbia http://www.aegis.rs/ Antun Balaz (NGI_AEGIS Technical Manager) Dusan Vudragovic (NGI_AEGIS Deputy Manager) SCL, Institute of Physics Belgrade EGI-InSPIRE SA1 Kickoff Meeting 1

506 views • 15 slides
AEgIS experiment: a summary of the run and a first glimpse of the data DAMARA SAC Meeting

AEgIS experiment: a summary of the run and a first glimpse of the data DAMARA SAC Meeting

AEgIS experiment: a summary of the run and a first glimpse of the data DAMARA SAC Meeting Angela Gligorova, Nicola Pacifico 23.08.2012, IFT, University of Bergen Outline Overview of the Aegis apparatus for the May-June 2012 run

738 views • 24 slides
The AEgIS Experiment Measuring the Gravitational Interaction of Antimatter Andreas Knecht / CERN

The AEgIS Experiment Measuring the Gravitational Interaction of Antimatter Andreas Knecht / CERN

The AEgIS Experiment Measuring the Gravitational Interaction of Antimatter Andreas Knecht / CERN on behalf of the AEgIS collaboration LEAP 2013, 10/6/2013 AEgIS Collaboration University of Oslo and University CERN, Switzerland of Bergen,

1.35k views • 35 slides
GRAVITY AND ANTIMATTER: THE AEGIS EXPERIMENT AT CERN DAVIDE PAGANO UNIVERSIT DEGLI STUDI DI

GRAVITY AND ANTIMATTER: THE AEGIS EXPERIMENT AT CERN DAVIDE PAGANO UNIVERSIT DEGLI STUDI DI

GRAVITY AND ANTIMATTER: THE AEGIS EXPERIMENT AT CERN DAVIDE PAGANO UNIVERSIT DEGLI STUDI DI BRESCIA & INFN PAVIA on behalf of the AEgIS collaboration TAUP 2017 - XV International Conference on Topics in Astroparticle and Underground

338 views • 15 slides
Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1

Linear Biases in AEGIS Keystream Brice Minaud ANSSI, France SAC August 15, 2014 Plan 1 Blockwise Stream Ciphers 2 Presentation of AEGIS 3 Linear Biases in AEGIS 1/22 Blockwise Stream Ciphers 2/22 Authenticated Encryption Schemes C

1.07k views • 39 slides
AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu, Bart Preneel Nanyang Technological University, Katholieke Universiteit Leuven Presented at DIAC 1 Classification of Authenticated Encryption AEGIS Design rationale

635 views • 19 slides
RC South, Task Force Aegis I n t e g r i t y - S e r v i c e - E x c e l l e n c e Qalat

RC South, Task Force Aegis I n t e g r i t y - S e r v i c e - E x c e l l e n c e Qalat

RC South, Task Force Aegis I n t e g r i t y - S e r v i c e - E x c e l l e n c e Qalat Provincial Reconstruction Team Capt Rockie Wilson Civil Affairs CAT-E (Engineer) Team Leader, Qalat PRT Training - Mission 5-week Combat Skills

961 views • 29 slides
Philip Harrison, Khangelani Moyo & Yan Yang Introduction Within the broad aegis of de

Philip Harrison, Khangelani Moyo & Yan Yang Introduction Within the broad aegis of de

Strategy and Tactics: Chinese Immigrants and Diasporic Spaces in Johannesburg, South Africa Philip Harrison, Khangelani Moyo & Yan Yang Introduction Within the broad aegis of de Certeaus work, we engage the historical and

935 views • 56 slides
Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random

Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random

Design and Implementation of the AEGIS Single-Chip Secure Processor Using Physical Random Functions G. Edward Suh, Charles W. ODonnell, Ishan Sachdev, and Srinivas Devadas Massachusetts Institute of Technology 1 New Security Challenges

356 views • 31 slides
AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing G. Edward Suh, Dwaine

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing G. Edward Suh, Dwaine

AEGIS: Architecture for Tamper-Evident and Tamper-Resistant Processing G. Edward Suh, Dwaine Clarke, Blaise Gassend, Marten van Dijk, Srinivas Devadas Massachusetts Institute of Technology L C S Cases for Physical Security Applications

519 views • 23 slides
AEGIS : An Automated Permission Generation and Verification System for SDNs ACM SIGCOMM 2018

AEGIS : An Automated Permission Generation and Verification System for SDNs ACM SIGCOMM 2018

AEGIS : An Automated Permission Generation and Verification System for SDNs ACM SIGCOMM 2018 Workshop on SecSoN Heedo Kang, Seungwon Shin, Vinod Yegneswaran*, Shalini Ghosh*, Phillip Porras* KAIST, SRI International* Contents 1. B Background

585 views • 29 slides
AEGI S AEGI S A European framework for task-sharing in PGR conservation Jan Engels AEGIS

AEGI S AEGI S A European framework for task-sharing in PGR conservation Jan Engels AEGIS

AEGI S AEGI S A European framework for task-sharing in PGR conservation Jan Engels AEGIS Coordinator SEEDNet workshop on PGR international policy and legislation 24-25 October, 2007 Banjaluka, Republika Srpska Content of presentation

246 views • 21 slides
MAURITIUS Your Strategic Partner The Economic Development Board , operates under the aegis of the

MAURITIUS Your Strategic Partner The Economic Development Board , operates under the aegis of the

MAURITIUS Your Strategic Partner The Economic Development Board , operates under the aegis of the Prime Ministers Office Strategic Economic Planning Trade & Business Mandate Investment Facilitation Promotion Country Branding

224 views • 19 slides
Recent Highlights from the DEEP & AEGIS Surveys David C. Koo & DEEP Team UCO/Lick

Recent Highlights from the DEEP & AEGIS Surveys David C. Koo & DEEP Team UCO/Lick

Recent Highlights from the DEEP & AEGIS Surveys David C. Koo & DEEP Team UCO/Lick Observatory University of California, Santa Cruz 28 Aug 2007 A Century of Cosmology, Venice, Italy DEIMOS KECK Outline 1) Whats DEEP? Why useful

464 views • 25 slides
The Navy Modernization Program: Estimating the Cost of Upgrading AEGIS Guided Missile Cruisers

The Navy Modernization Program: Estimating the Cost of Upgrading AEGIS Guided Missile Cruisers

The Navy Modernization Program: Estimating the Cost of Upgrading AEGIS Guided Missile Cruisers Jeremy Goucher, Herren Associates Krystian Jenkins, Naval Surface Warfare Center 11 June 2015 1 Agenda Background Induction Phase

352 views • 18 slides
Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This

Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This

Q1 2020 results May 6, 2020 Q1 2020 webcast 2 Q1 2020 Results May 6th, 2020 Forenote This presentation may contain forward-looking information. Forward-looking statements describe expectations, plans, strategies, goals, future events or

602 views • 16 slides
Advances in Internet data flow transport ISAE-SUPAERO Macquarie University, the 22nd November

Advances in Internet data flow transport ISAE-SUPAERO Macquarie University, the 22nd November

Advances in Internet data flow transport ISAE-SUPAERO Macquarie University, the 22nd November 2018 ISAE-SUPAERO 2018 1 / 1 Toulouse complex for space and aeronautic Toulouse, south west of France 1 000 000 inhabitants and we love rugby

2.02k views • 170 slides
Data-driven time parallelism and model reduction Kevin Carlberg 1 , Lukas Brencher 2 , Bernard

Data-driven time parallelism and model reduction Kevin Carlberg 1 , Lukas Brencher 2 , Bernard

Data-driven time parallelism and model reduction Kevin Carlberg 1 , Lukas Brencher 2 , Bernard Haasdonk 2 , Andrea Barth 2 Sandia National Laboratories 1 University of Stuttgart 2 SIAM Conference on UQ April 7, 2016 Data-driven time parallelism

735 views • 35 slides
Ashik Ahmed We make work life easier Today More than 95,000 workplaces in over 85 countries use

Ashik Ahmed We make work life easier Today More than 95,000 workplaces in over 85 countries use

Ashik Ahmed We make work life easier Today More than 95,000 workplaces in over 85 countries use Deputy to make work life easier for business owners and their teams. Aero-care: 200 Staff Series A 1992 2015 2018 2003 2008 Scaled 2016

366 views • 13 slides
Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya

Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya

Background on AES-GCM-SIV Fixing the Security Bound Improving Key Derivation Final Remarks Reconsidering the Security Bound of AES-GCM-SIV Tetsu Iwata 1 and Yannick Seurin 2 1 Nagoya University, Japan 2 ANSSI, France March 7, 2018 FSE 2018

1.11k views • 70 slides
In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings

In-depth Percona Server/MySQL encryption Robert Golebiowski Percona Keyrings Keyrings General Concept Plugin installation - always successful - keyrings variables may need correction - keyring_vault_config - keyring_file_data 3

780 views • 47 slides
Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F (

1 2 Better proofs for rekeying Rekeying seems less dangerous. D. J. Bernstein Expand k into F ( k ) = (AES k (0) ; : : : ; AES k (999999)). Security of AES-256 key k is Split F ( k ) into 500000 subkeys. far below 2 256 in most

881 views • 58 slides
Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers

Side-Channel Cryptanalysis Joseph Bonneau Security Group jcb82@cl.cam.ac.uk Rule 0: Attackers will always cheat xkcd #538 What is side channel cryptanalysis? Side Channels: whatever the designers ignored Key Plaintext Encryption Cipher

1.14k views • 112 slides

More recommend