1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

Slides:



Advertisements
Similar presentations
Block Cipher Modes of Operation and Stream Ciphers
Advertisements

ECE454/CS594 Computer and Network Security
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
“Advanced Encryption Standard” & “Modes of Operation”
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CMSC 414 Computer (and Network) Security Lecture 4 Jonathan Katz.
Authenticated Encryption with Replay prOtection (AERO)
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
CMSC 414 Computer (and Network) Security Lecture 5 Jonathan Katz.
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
Wired Equivalent Privacy (WEP)
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
1 Cryptography and Network Security (Various Hash Algorithms) Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Changed by Somesh Jha)
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Cryptography and Network Security
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 21 “Public-Key Cryptography.
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Message Authentication Requirements Disclosure Release of message contents to any person or process not possessing the appropriate cryptographic key Traffic.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Resynchronization Attacks on WG and LEX Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.
The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.
Lecture 4.1: Hash Functions, and Message Authentication Codes CS 436/636/736 Spring 2015 Nitesh Saxena.
Cryptography Wei Wu. Internet Threat Model Client Network Not trusted!!
Stream Cipher July 2011.
Cryptanalysis of the Stream Cipher DECIM Hongjun Wu and Bart Preneel Katholieke Universiteit Leuven ESAT/COSIC.
CS555Spring 2012/Topic 111 Cryptography CS 555 Topic 11: Encryption Modes and CCA Security.
WEP Protocol Weaknesses and Vulnerabilities
Applied Cryptography Spring 2015 Chaining Modes. What happens when the clear text is longer than the block length k? Most simple solution — encrypt each.
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
3DES and Block Cipher Modes of Operation CSE 651: Introduction to Network Security.
Chapter 9: Algorithms Types and Modes Dulal C. Kar Based on Schneier.
Dr. Reuven Aviv, Nov 2008 Conventional Encryption 1 Conventional Encryption & Message Confidentiality Acknowledgements for slides Henric Johnson Blekinge.
TinySec: A Link Layer Security Architecture for Wireless Sensor Networks Chris Karlof :: Naveen Sastry :: David Wagner Presented by Roh, Yohan October.
1 Message authentication codes, modes of operation, and indifferentiability Kan Yasuda (NTT, Japan) ASK 2011 Aug. 31, Singapore.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Lecture 23 Symmetric Encryption
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2015 Eugene Vasserman
1 Symmetric-Key Encryption CSE 5351: Introduction to Cryptography Reading assignment: Chapter 2 Chapter 3 (sections ) You may skip proofs, but are.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cipher Transmission and Storage Modes Part 2: Stream Cipher Modes CSCI 5857: Encoding and Encryption.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
WLAN Security1 Security of WLAN Máté Szalay
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group
1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.
Dan Boneh Authenticated Encryption CBC paddings attacks Online Cryptography Course Dan Boneh.
2010 CCSDS Spring Meeting, 5 May 2010 Portsmouth, VA, USA Encrypted Authentication ISO/IEC I. Aguilar – ESA/ESTEC.
Dan Boneh Authenticated Encryption Constructions from ciphers and MACs Online Cryptography Course Dan Boneh.
Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.
CS555Spring 2012/Topic 141 Cryptography CS 555 Topic 14: CBC-MAC & Hash Functions.
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Presented by Meghana Ananth Gad and Archita Pathak
November 14, 2016 Secure MAC algorithms for use with NTP draft-aanchal4-ntp-mac-03 CFRG: IETF97 Aanchal Malhotra Sharon Goldberg.
Cryptography and Network Security Sixth Edition by William Stallings.
Block Cipher Modes CS 465 Make a chart for the mode comparisons
Cryptography Lecture 12.
December 4--8, Nonlinear Invariant Attack Practical Attack on Full SCREAM, iSCREAM, and Midori64 Name: Position: My research topics.
Block Ciphers (Crypto 2)
Cryptography Lecture 13.
Cryptography Lecture 11.
Hash Function Requirements
Counter With Cipher Block Chaining-MAC
Counter Mode, Output Feedback Mode
Stream Cipher Structure
Secret-Key Encryption
Presentation transcript:

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iMinds SAC 2013

2 Outline Authenticated Encryption (AE) design rationale security performance

3 Authenticated Encryption (AE) Unforgeable Encryption [Katz-Yung’00] Authenticated Encryption - Generic composition for probabilistic encryption [Bellare-Namprempre’00]  Encrypt-then-MAC (IPsec)  MAC-then-Encrypt (TLS)  Encrypt-and-MAC Note: nonce-based Authenticated Encryption seems more relevant [Rogaway’13]

4 AE: composition Encryption  block cipher in CBC, CFB modes nonce reuse: suboptimal but mostly ok in practice  synchronous stream cipher + block cipher in OFB/CTR performance may be better highly insecure with nonce reuse Message Authentication Code  MAC without nonce: robust HMAC, CMAC, EMAC, Pelican MAC, PMAC …  MAC with nonce: highly insecure if none reuse UMAC, GMAC, (VMAC, Poly1305-AES)

5 AE: building blocks ( Tweakable) block cipher Synchronous stream cipher with IV Pseudo-Random Function (PRF) Permutation AES round function reduction proof

6 AE: properties Associated data Parallelizable Online for encryption Security reduction Resistance to nonce reuse Incremental tags Flexible implementation sizes Performance: speed/size Secure implementations: constant time/…

AE: block cipher based # passes//Online (encr) Nonce Misue Patented IAPM1  XECB1  OCB1  CCM2 GCM1*  EAX2  CWC2  SIV2  BTM1  McOE-G1* 

8 Authenticated Encryption: speed Fastest software designs exploit AES new instruction set (AES-NI) on recent Intel CPUs  Westmere (2010) 6 cycles/AES round function, 3-stage pipeline  2 cycles/AES round (fully used pipeline)  Sandy Bridge/Ivy Bridge (2011) 8 cycles/AES round function, 8-stage pipeline  1 cycle/AES round (fully used pipeline)  Haswell (2013) latest numbers [Gueron’13] AES-GCM 1.03 cycles/byte AES-OCB 0.69 cycles/byte

9 Authenticated Encryption Better designs?  hardware: high end and lightweight  software: high end and embedded CAESAR  Competition for Authenticated Encryption: Security, Applicability, and Robustness  2014 – 2017  submission deadline: Jan

10 AEGIS Design Goal Ultra fast nonce-based AE for network communication  reducing packet delay due to authentication/encryption on a busy server  for high speed TLS, IPsec, VPN, SSH  try to make optimal use of AES-NI

11 AEGIS: properties Associated data Parallelizable: locally Online for encryption No security reduction but easy to analyze Not resistant to nonce reuse No incremental tags Flexible implementation sizes: 128/256 Performance: speed/size Secure implementations: constant time/…

12 Design Rationale (1) Inspiration Pelican MAC  [Daemen-Rijmen’05]  128-bit secret state  easy to analyze  secure up to birthday bound  2.5 times faster than AES AES (10R) 0 K AES (4R) x2x2 AES (10R) K x1x1

Design Rationale (2) larger state: 5 x 128 bits but simpler operation: 1 AES round still easy to analyze AES (1R) S3S3 xixi S0S0 S1S1 S2S2 S4S4 length AEGIS (10R) K IV AEGIS (1R) x1x1 x2x2 AEGIS (7R) tag create stream cipher from MAC

14 Security claims Requirements for implementation  each key and nonce pair can be used only once  if verification fails, the decrypted message and wrong message authentication tag should not be given as output Forgery attack: success prob. 2 -t with t the tag size Key and state cannot be recovered faster than brute force if forgery attack is not successful  128-bit tags strongly recommended

15 Security analysis of AE Authentication Encryption Does authentication affect encryption?  short tag  easy forgery, and results in chosen ciphertext attack against encryption Does encryption weaken authentication?  ciphertext leaks state information, which may benefit a forgery attack such as partial state value, state collision

16 Security Authentication  a difference in ciphertext passes through at least 5 AES rounds stronger than Pelican MAC (4 AES rounds) Encryption  AEGIS encryption is a stream cipher with nonlinear state update function differential and linear analysis is precluded

17 Security: does authentication affect encryption? AEGIS without MAC is vulnerable to a chosen ciphertext attack To preclude chosen ciphertext attack 1) if tag verification fails, the decrypted plaintext should not be given as output 2) the tag size should be sufficiently large to resist a chosen-ciphertext attack (128-bit tag recommended)

18 Security: does encryption weaken authentication? At each step, AEGIS leaks 128-bit keystream, i.e., 128-bit state information The overall differential probability of the forgery attack against AEGIS increases But the differential probability that a difference propagates through 5 AES rounds is not affected  reason: at each step, the information leaked on S i,j is of the form:

Performance: 0.66 cycles/byte Intel Sandy Bridge Core-i5

20 Performance Intel Sandy Bridge Core-i5 Fastest AE

21 Conclusion: AEGIS Simple design  AEG-128 (this talk) and AEGIS-256 Ultra fast for protecting network packets  targeting platform with AES-NI  on platforms without AES-NI, AEGIS is faster than AES (factor ) Strong security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.