AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu - - PowerPoint PPT Presentation

aegis
SMART_READER_LITE
LIVE PREVIEW

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu - - PowerPoint PPT Presentation

May 19, 2023 332 likes •525 views

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds DIAC 2016 AEGIS 1 AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS 2 Different Design

slide-1
SLIDE 1

AEGIS

A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel

Nanyang Technological University KU Leuven and iMinds

DIAC 2016 AEGIS 1

slide-2
SLIDE 2

DIAC 2016 AEGIS 2

AEGIS: A shield carried by Athena and Zeus

slide-3
SLIDE 3

Different Design Approaches:

Fast Lightweight

3 DIAC 2016 AEGIS

AES-NI (AEGIS) SIMD (MORUS) Mode (JAMBU) Dedicated (ACORN)

slide-4
SLIDE 4

No tweak for the second and third rounds

DIAC 2016 AEGIS 4

slide-5
SLIDE 5

AEGIS: Main features

  • Simple
  • Fast

– AEGIS-128L is 0.25 clock cycles/byte on Intel Skylake (long messages)

  • Fully use the pipeline of AES-NI
  • Nonce is used only once

DIAC 2016 AEGIS 5

slide-6
SLIDE 6

AEGIS

  • AEGIS-128L

– 128-bit key, 1024-bit state

  • AEGIS-128

– 128-bit key, 640-bit state

  • AEGIS-256

– 256-bit key, 768-bit state

  • Tag: 128-bit

DIAC 2016 AEGIS 6

slide-7
SLIDE 7

AEGIS: Properties

  • Properties

– Parallelizable: locally – No security reduction but easy to analyze – Not resistant to nonce reuse – Performance: size/speed tradeoff

7 DIAC 2016 AEGIS

slide-8
SLIDE 8

8

AEGIS

  • Design Rationale

– Inspiration: Pelican MAC

  • [Daemen-Rijmen’05]
  • 128-bit secret state
  • easy to analyze
  • secure up to birthday bound
  • 2.5 times faster than AES

– Our design: Save the state after each AES round, then construct stream cipher from MAC

AES (10R)

K

AES (4R)

x2

AES

(4R) AES (10R)

K x1

8 DIAC 2016 AEGIS

slide-9
SLIDE 9

AEGIS

  • Design Rationale (2)

– Parallel AES round functions in each step so as to fill the AES instruction pipeline – AEGIS-128L can make full use of the AES instruction pipeline of Intel Haswell and Skylake processors

DIAC 2016 AEGIS 9

slide-10
SLIDE 10

AEGIS-128

 larger state: 5 x 128 bits  but simpler operation: 1 AES round  still easy to analyze

AES(1R)

S3

AES(1R)

xi S0

AES(1R)

S1

AES(1R)

S2

AES(1R)

S4 length

AEGIS

(10R)

K IV K IV

AEGIS

(1R)

x1

AEGIS

(1R)

x2 AEGIS

(7R)

tag

10 DIAC 2016 AEGIS

slide-11
SLIDE 11

AEGIS: Security

  • Authentication

– a difference in ciphertext passes through at least 4 AES rounds

  • stronger than Pelican MAC (4 AES rounds) since difference

being distributed to at least 4 words

  • Encryption

– AEGIS encryption is a stream cipher with nonlinear state update function

  • differential and linear analysis is precluded

11 DIAC 2016 AEGIS

slide-12
SLIDE 12

AEGIS: Security Randomness of keystream

  • Recent results (Minaud, SAC 2014)

– AEGIS-128

  • 2130+ keystream bits for distinguishing

– AEGIS-256

  • 2180+ keystream bits for distinguishing

12 DIAC 2016 AEGIS

slide-13
SLIDE 13

Performance

  • Speed on Intel Skylake processor Core i5-6600

(Supercop-2016-08-06) No associated data.

13 DIAC 2016 AEGIS

slide-14
SLIDE 14

Performance

  • Compare to the performance of Tiaoxin

– Tiaoxin extends AEGIS to larger state with more complicated state update function

  • state size of Tiaoxin: 1664 bits (60% more)
  • state size of AEGIS-128L: 1024 bits

– Larger state size in stream cipher design normally leads to faster speed – Long message (on Skylake, Supercop-2016-08-06)

  • Tiaoxin: encryption 0.21 cpb; decryption 0.34 cpb
  • AEGIS-128L: encryption 0.25 cpb; decryption 0.25 cpb

– 1536-byte message (on Skylake, Supercop-2016-08-06)

  • Tiaoxin: encryption 0.36 cpb; decryption 0.48 cpb
  • AEGIS-128L: encryption 0.34 cpb; decryption 0.37 cpb

14 DIAC 2016 AEGIS

slide-15
SLIDE 15

Performance

  • Hardware

– FPGA implementation of AEGIS-128L (Tao Huang)

  • For throughput optimized: 78.3 Gbps, 2424 slices

– 65 nm ASIC implementation of AEGIS-128 (Debjyoti Bhattacharjee, Anupam Chattopadhyay, DIAC 2015)

  • For throughput optimized: 121 Gbps, 173 KGE
  • For Low area optimized: 1.32 Gbps, 18.72 KGE
  • We expect that AEGIS-128L is about twice as fast as AEGIS-128 on

ASIC, with larger area (60% more)

15 DIAC 2016 AEGIS

slide-16
SLIDE 16
  • We restrict the disclosure of plaintext when

authentication failed. What would happen if the attacker knows the decrypted plaintext when authentication fails?

– For AEGIS, the secret key remains strong, so there is little compromise of encryption security (since the attacker can access the decrypted plaintext, the encryption security of a single message is not a concern here)

DIAC 2016 AEGIS 16

Discussions

slide-17
SLIDE 17
  • We restrict the disclosure of plaintext when

authentication failed. What would happen if the attacker knows the decrypted plaintext when authentication fails?

– If the communication protocol terminates/restarts when authentication fails, then there is no compromise of authentication security

DIAC 2016 AEGIS 17

Discussions

slide-18
SLIDE 18
  • Simple design
  • Fast

– Software: targeting platforms with AES-NI – Also fast in hardware

  • Strong in security

DIAC 2016 AEGIS 18

Conclusions