AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2016 AEGIS 1

Similar documents
AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2015 AEGIS 1

AEGIS. A Fast Authenticated Encryption Algorithm. Nanyang Technological University KU Leuven and iminds DIAC 2014 AEGIS 1

Blockcipher-based Authentcated Encryption: How Small Can We Go? CHES 2017, Taipei, Taiwan

Updates on CLOC and SILC Version 3

The JAMBU Lightweight Authentication Encryption Mode (v2)

Software Benchmarking of the 2 nd round CAESAR Candidates

ALE: AES-Based Lightweight Authenticated Encryption

CLOC: Authenticated Encryption

Updates on CLOC and SILC

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Symmetric Cryptography

Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

ASCON: A Submission to CAESAR Ch. Dobraunig, M. Eichlseder, F. Mendel, M. Schläffer Graz University of Technology CECC 2015

A Chosen-key Distinguishing Attack on Phelix

On authenticated encryption and the CAESAR competition

05 - WLAN Encryption and Data Integrity Protocols

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

ECE 646 Lecture 8. Modes of operation of block ciphers

The OCB Authenticated-Encryption Algorithm

Implementation and Analysis of the PRIMATEs Family of Authenticated Ciphers

Cryptography and Network Security. Sixth Edition by William Stallings

EEC-484/584 Computer Networks

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

APE: Authenticated Permutation-Based Encryption for Lightweight Cryptography

Chosen Ciphertext Attack on SSS

McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes

Some Thoughts on Time-Memory-Data Tradeoffs

POMELO A Password Hashing Algorithm (Version 2)

Advanced Encryption Standard and Modes of Operation. Foundations of Cryptography - AES pp. 1 / 50

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Hardware Accelerator for Stream Cipher Spritz

New mobile phone algorithms a real world story

Lecture 2B. RTL Design Methodology. Transition from Pseudocode & Interface to a Corresponding Block Diagram

Introduction to cryptology (GBIN8U16)

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

DIAC 2015, Sept, Singapore

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

Some Aspects of Block Ciphers

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

Secret Key Algorithms (DES)

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptography Functions

Vortex: A New Family of One-way Hash Functions Based on AES Rounds and Carry-less Multiplication

Implementing AES : performance and security challenges

Scanned by CamScanner

Block ciphers, stream ciphers

POMELO A Password Hashing Algorithm (Version 2)

Symmetric-Key Cryptography

Feedback Week 4 - Problem Set

Lecture 2: Secret Key Cryptography

EEC-682/782 Computer Networks I

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

Attacks on Advanced Encryption Standard: Results and Perspectives

Stream Ciphers An Overview

Network Security Essentials Chapter 2

CS155. Cryptography Overview

AES Core Specification. Author: Homer Hsing

Computer Security CS 526

The Salsa20 Family of Stream Ciphers

Correlated Keystreams in Moustique

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Information Security CS526

Implementation of Full -Parallelism AES Encryption and Decryption

The Rectangle Attack

Integral Cryptanalysis of the BSPN Block Cipher

Benchmarking of Round 3 CAESAR Candidates in Hardware: Methodology, Designs & Results

Encryption Details COMP620

The Calico Family of Authenticated Ciphers

Content of this part

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Cryptography: Symmetric Encryption [continued]

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Cryptography (cont.)

Overview of Security

Block ciphers used to encode messages longer than block size Needs to be done correctly to preserve security Will look at five ways of doing this

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

Trivium. 2 Specifications

Computer and Data Security. Lecture 3 Block cipher and DES

Pipelineable On-Line Encryption (POE)

Submission to ECRYPT call for stream ciphers: the self-synchronizing stream cipher Mosquito

An Introduction to new Stream Cipher Designs

Deoxys v1.41. Designers/Submitters: School of Physical and Mathematical Science, Nanyang Technological University, Singapore

Optimization of Hardware Implementations with High-Level Synthesis of Authenticated Encryption

Cryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Solutions to exam in Cryptography December 17, 2013

Lightweight Cryptography: Designing Crypto for Low Energy and Low Power

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSCE 715: Network Systems Security

Area Optimization in Masked Advanced Encryption Standard

CAESAR Hardware API. Ekawat Homsirikamol, William Diehl, Ahmed Ferozpuri, Farnoud Farahmand, Panasayya Yalla, Jens-Peter Kaps, and Kris Gaj

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

RC4. Invented by Ron Rivest. A stream cipher Generate keystream byte at a step

Encryption / decryption system. Fig.1. Block diagram of Hummingbird

Encrypted Data Deduplication in Cloud Storage

H must be collision (2n/2 function calls), 2nd-preimage (2n function calls) and preimage resistant (2n function calls)

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Compact Dual Block AES core on FPGA for CCM Protocol

Transcription:

AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University KU Leuven and iminds DIAC 2016 AEGIS 1

AEGIS: A shield carried by Athena and Zeus DIAC 2016 AEGIS 2

Different Design Approaches: Fast AES-NI SIMD (AEGIS) (MORUS) Lightweight Mode (JAMBU) Dedicated (ACORN) DIAC 2016 AEGIS 3

No tweak for the second and third rounds DIAC 2016 AEGIS 4

AEGIS: Main features Simple Fast AEGIS-128L is 0.25 clock cycles/byte on Intel Skylake (long messages) Fully use the pipeline of AES-NI Nonce is used only once DIAC 2016 AEGIS 5

AEGIS AEGIS-128L 128-bit key, 1024-bit state AEGIS-128 128-bit key, 640-bit state AEGIS-256 256-bit key, 768-bit state Tag: 128-bit DIAC 2016 AEGIS 6

AEGIS: Properties Properties Parallelizable: locally No security reduction but easy to analyze Not resistant to nonce reuse Performance: size/speed tradeoff DIAC 2016 AEGIS 7

AEGIS Design Rationale Inspiration: Pelican MAC [Daemen-Rijmen 05] 128-bit secret state easy to analyze secure up to birthday bound 2.5 times faster than AES Our design: Save the state after each AES round, then construct stream cipher from MAC K x 1 x 2 K 0 AES (10R) AES (4R) AES (4R) AES (10R) 8 DIAC 2016 AEGIS 8

AEGIS Design Rationale (2) Parallel AES round functions in each step so as to fill the AES instruction pipeline AEGIS-128L can make full use of the AES instruction pipeline of Intel Haswell and Skylake processors DIAC 2016 AEGIS 9

AEGIS-128 S 0 S 1 S 2 S 3 S 4 K IV x i AES(1R) AES(1R) AES(1R) AES(1R) AES(1R) K IV AEGIS (10R) x 1 AEGIS (1R) larger state: 5 x 128 bits but simpler operation: 1 AES round length x 2 AEGIS (1R) still easy to analyze AEGIS (7R) DIAC 2016 AEGIS tag 10

AEGIS: Security Authentication a difference in ciphertext passes through at least 4 AES rounds stronger than Pelican MAC (4 AES rounds) since difference being distributed to at least 4 words Encryption AEGIS encryption is a stream cipher with nonlinear state update function differential and linear analysis is precluded DIAC 2016 AEGIS 11

AEGIS: Security Randomness of keystream Recent results (Minaud, SAC 2014) AEGIS-128 2 130+ keystream bits for distinguishing AEGIS-256 2 180+ keystream bits for distinguishing DIAC 2016 AEGIS 12

Performance Speed on Intel Skylake processor Core i5-6600 (Supercop-2016-08-06) No associated data. DIAC 2016 AEGIS 13

Performance Compare to the performance of Tiaoxin Tiaoxin extends AEGIS to larger state with more complicated state update function state size of Tiaoxin: 1664 bits (60% more) state size of AEGIS-128L: 1024 bits Larger state size in stream cipher design normally leads to faster speed Long message (on Skylake, Supercop-2016-08-06) Tiaoxin: encryption 0.21 cpb; decryption 0.34 cpb AEGIS-128L: encryption 0.25 cpb; decryption 0.25 cpb 1536-byte message (on Skylake, Supercop-2016-08-06) Tiaoxin: encryption 0.36 cpb; decryption 0.48 cpb AEGIS-128L: encryption 0.34 cpb; decryption 0.37 cpb DIAC 2016 AEGIS 14

Performance Hardware FPGA implementation of AEGIS-128L (Tao Huang) For throughput optimized: 78.3 Gbps, 2424 slices 65 nm ASIC implementation of AEGIS-128 (Debjyoti Bhattacharjee, Anupam Chattopadhyay, DIAC 2015) For throughput optimized: 121 Gbps, 173 KGE For Low area optimized: 1.32 Gbps, 18.72 KGE We expect that AEGIS-128L is about twice as fast as AEGIS-128 on ASIC, with larger area (60% more) DIAC 2016 AEGIS 15

Discussions We restrict the disclosure of plaintext when authentication failed. What would happen if the attacker knows the decrypted plaintext when authentication fails? For AEGIS, the secret key remains strong, so there is little compromise of encryption security (since the attacker can access the decrypted plaintext, the encryption security of a single message is not a concern here) DIAC 2016 AEGIS 16

Discussions We restrict the disclosure of plaintext when authentication failed. What would happen if the attacker knows the decrypted plaintext when authentication fails? If the communication protocol terminates/restarts when authentication fails, then there is no compromise of authentication security DIAC 2016 AEGIS 17

Conclusions Simple design Fast Software: targeting platforms with AES-NI Also fast in hardware Strong in security DIAC 2016 AEGIS 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback