Internet-Draft The AEGIS family of authenticated encryp December 2021
Denis & Scotoni Expires 7 June 2022 [Page]
Workgroup:
Network Working Group
Internet-Draft:
draft-denis-aegis-aead-latest
Published:
Intended Status:
Informational
Expires:
Authors:
F. Denis
Fastly Inc.
F.E.R. Scotoni
Individual Contributor

The AEGIS family of authenticated encryption algorithms

Abstract

This document describes AEGIS-128L and AEGIS-256, two AES-based authenticated encryption algorithms designed for high-performance applications.

Discussion Venues

This note is to be removed before publishing as an RFC.

Source for this draft and an issue tracker can be found at https://github.com/jedisct1/draft-aegis-aead.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 7 June 2022.

Table of Contents

1. Introduction

This document describes the AEGIS-128L and AEGIS-256 authenticated encryption with associated data (AEAD) algorithms [AEGIS], a variant of which has been chosen as a winner in the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR). All variants of AEGIS are constructed from the AES encryption round function [FIPS-AES]. This document specifies:

With some existing AEAD schemes, an attacker can generate a ciphertext that successfully decrypts under multiple different keys (a partitioning oracle attack)[LGR21]. This ability to craft a (ciphertext, authentication tag) pair that verifies under multiple keys significantly reduces the number of required interactions with the oracle in order to perform an exhaustive search, making it practical if the key space is small. One example for a small key space is password-based encryption: an attacker can guess a large number of passwords at a time by recursively submitting such a ciphertext to an oracle, which speeds up a password search by reducing it to a binary search.

While this may be mitigated by means of inserting a padding block in the aforementioned algorithms, this workaround comes with additional processing cost and must itself be carefully constructed to resist leaking information via timing. As a key-committing AEAD scheme, the AEGIS cipher family is naturally resistant against partitioning oracle attacks.

Oftentimes, nonce space is another issue; randomly chosen nonces may be safe for only a very limited number of messages. Nonces may be safely chosen at random with no practical limit when using AEGIS-256; this applies irrespective of the length of individual or total messages.

At the same time, the AEGIS cipher family offers optimal performance on CPUs with hardware support for parallelizable AES block encryption. Its performance exceeds that of AES-GCM[AEGIS] significantly while offering key-commitment and increased safety when using random nonces.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

Primitives:

AEGIS internal functions:

Input blocks are 256 bits for AEGIS-128L and 128 bits for AEGIS-256.

AES blocks:

AES blocks are always 128 bits in length.

Input and output values:

3. The AEGIS-128L Algorithm

AEGIS-128L has a 1024-bit state, made of eight 128-bit blocks {S0, ...S7}.

The parameters for this algorithm, as defined in [RFC5116], Section 4 are:

Distinct associated data inputs, as described in [RFC5116], Section 3 shall be unambiguously encoded as a single input. It is up to the application to create a structure in the associated data input if needed.

3.1. Authenticated Encryption

The Encrypt function encrypts a message and returns the ciphertext along with an authentication tag that verifies the authenticity of the message and associated data, if provided.

Encrypt(msg, ad, key, nonce)

Inputs:

  • msg: the message to be encrypted.
  • ad: the associated data to authenticate.
  • key: the encryption key.
  • nonce: the public nonce.

Outputs:

  • ct: the ciphertext.
  • tag: the authentication tag.

Steps:

Init(key, nonce)

ct = {}

ad_blocks = Split(Pad(ad, 256), 256)
for xi in ad_blocks:
    Enc(xi)

msg_blocks = Split(Pad(msg, 256), 256)
for xi in msg_blocks:
    ct = ct || Enc(xi)

tag = Finalize(|ad|, |msg|)
msg = Truncate(msg, |ct|)

3.2. Authenticated Decryption

The Decrypt function decrypts a ciphertext, verifies that the authentication tag is correct, and returns the message on success or an error if tag verification failed.

Decrypt(ct, tag, ad, key, nonce)

Inputs:

  • ct: the ciphertext to be decrypted.
  • tag: the authentication tag.
  • ad: the associated data to authenticate.
  • key: the encryption key.
  • nonce: the public nonce.

Outputs:

  • msg: the message, or an error indicating that the authentication tag is invalid for the given inputs.

Steps:

Init(key, nonce)

msg = {}

ad_blocks = Split(Pad(ad, 256), 256)
for xi in ad_blocks:
    Enc(xi)

ct_blocks = Split(ct, 256)
cn = Tail(ct, |ct| mod 256)

for ci in ct_blocks:
    msg = msg || Dec(ci)

if cn is not empty:
    msg = msg || DecPartial(cn)

expected_tag = Finalize(|ad|, |msg|)

The comparison of the input tag with the expected_tag SHOULD be done in constant time. If verification fails, the decrypted message and wrong message authentication tag SHOULD NOT be given as output.

3.3. The Init Function

Init(key, nonce)

The Init function constructs the initial state {S0, ...S7} using the given key and nonce.

Inputs:

  • key: the encryption key.
  • nonce: the nonce.

Defines:

  • {S0, ...S7}: the initial state.

Steps:

S0 = key ^ nonce
S1 = C1
S2 = C0
S3 = C1
S4 = key ^ nonce
S5 = key ^ C0
S6 = key ^ C1
S7 = key ^ C0

Repeat(10, Update(nonce, key))

3.4. The Update Function

Update(M0, M1)

The Update function is the core of the AEGIS-128L algorithm. It updates the state {S0, ...S7} using two 128-bit values.

Inputs:

  • M0: the first 128-bit block to be absorbed.
  • M1: the second 128-bit block to be absorbed.

Modifies:

  • {S0, ...S7}: the state.

Steps:

S'0 = AESRound(S7, S0 ^ M0)
S'1 = AESRound(S0, S1)
S'2 = AESRound(S1, S2)
S'3 = AESRound(S2, S3)
S'4 = AESRound(S3, S4 ^ M1)
S'5 = AESRound(S4, S5)
S'6 = AESRound(S5, S6)
S'7 = AESRound(S6, S7)

S0  = S'0
S1  = S'1
S2  = S'2
S3  = S'3
S4  = S'4
S5  = S'5
S6  = S'6
S7  = S'7

3.5. The Enc Function

Enc(xi)

The Enc function encrypts a 256-bit input block xi using the state {S0, ...S7}.

Inputs:

  • xi: the 256-bit encrypted input block.

Outputs:

  • ci: the 256-bit decrypted block.

Steps:

z0 = S6 ^ S1 ^ (S2 & S3)
z1 = S2 ^ S5 ^ (S6 & S7)

t0, t1 = Split(xi, 128)
out0 = t0 ^ z0
out1 = t1 ^ z1

Update(t0, t1)
ci = out0 || out1

3.6. The Dec Function

Dec(ci)

The Dec function decrypts a 256-bit input block ci using the state {S0, ...S7}.

Inputs:

  • ci: the 256-bit encrypted input block.

Outputs:

  • xi: the 256-bit decrypted block.

Steps:

z0 = S6 ^ S1 ^ (S2 & S3)
z1 = S2 ^ S5 ^ (S6 & S7)

t0, t1 = Split(ci, 128)
out0 = t0 ^ z0
out1 = t1 ^ z1

Update(out0, out1)
xi = out0 || out1

3.7. The DecPartial Function

DecPartial(cn)

The DecPartial function decrypts the last ciphertext bits cn using the state {S0, ...S7} when they do not fill an entire block.

Inputs:

  • cn: the encrypted input.

Outputs:

  • xn: the decryption of cn.

Steps:

z0 = S6 ^ S1 ^ (S2 & S3)
z1 = S2 ^ S5 ^ (S6 & S7)

t0, t1 = Split(Pad(cn, 256), 128)
out0 = t0 ^ z0
out1 = t1 ^ z1

xn = Truncate(out0 || out1, |cn|)

v0, v1 = Split(Pad(xn, 256), 128)
Update(v0, v1)

3.8. The Finalize Function

Finalize(ad_len, msg_len)

The Finalize function computes a 128-bit tag that authenticates the message and associated data.

Inputs:

  • ad_len: the length of the associated data in bits.
  • msg_len: the length of the message in bits.

Outputs:

  • tag: the authentication tag.

Steps:

t = S2 ^ (LE64(ad_len) || LE64(msg_len))

Repeat(7, Update(t, t))

tag = S0 ^ S1 ^ S2 ^ S3 ^ S4 ^ S5 ^ S6

4. The AEGIS-256 Algorithm

AEGIS-256 has a 768-bit state, made of six 128-bit blocks {S0, ...S5}.

The parameters for this algorithm, as defined in [RFC5116], Section 4 are:

Distinct associated data inputs, as described in [RFC5116], Section 3 shall be unambiguously encoded as a single input. It is up to the application to create a structure in the associated data input if needed.

4.1. Authenticated Encryption

Encrypt(msg, ad, key, nonce)

The Encrypt function encrypts a message and returns the ciphertext along with an authentication tag that verifies the authenticity of the message and associated data, if provided.

Inputs:

  • msg: the message to be encrypted.
  • ad: the associated data to authenticate.
  • key: the encryption key.
  • nonce: the public nonce.

Outputs:

  • ct: the ciphertext.
  • tag: the authentication tag.

Steps:

Init(key, nonce)

ct = {}

ad_blocks = Split(Pad(ad, 128), 128)
for xi in ad_blocks:
    Enc(xi)

msg_blocks = Split(Pad(msg, 128), 128)
for xi in msg_blocks:
    ct = ct || Enc(xi)

tag = Finalize(|ad|, |msg|)

4.2. Authenticated Decryption

The Decrypt function decrypts a ciphertext, verifies that the authentication tag is correct, and returns the message on success or an error if tag verification failed.

Decrypt(ct, tag, ad, key, nonce)

Inputs:

  • ct: the ciphertext to be decrypted.
  • tag: the authentication tag.
  • ad: the associated data to authenticate.
  • key: the encryption key.
  • nonce: the public nonce.

Outputs:

  • msg: the message, or an error indicating that the authentication tag is invalid for the given inputs.

Steps:

Init(key, nonce)

msg = {}

ad_blocks = Split(Pad(ad, 128), 128)
for xi in ad_blocks:
    Enc(xi)

ct_blocks = Split(Pad(ct, 128), 128)
cn = Tail(ct, |ct| mod 128)

for ci in ct_blocks:
    msg = msg || Dec(ci)

if cn is not empty:
    msg = msg || DecPartial(cn)

expected_tag = Finalize(|ad|, |msg|)

The comparison of the input tag with the expected_tag SHOULD be done in constant time. If verification fails, the decrypted message and wrong message authentication tag SHOULD NOT be given as output.

4.3. The Init Function

Init(key, nonce)

The Init function constructs the initial state {S0, ...S5} using the given key and nonce.

Inputs:

  • key: the encryption key.
  • nonce: the nonce.

Defines:

  • {S0, ...S5}: the initial state.

Steps:

k0, k1 = Split(key, 128)
n0, n1 = Split(nonce, 128)

S0 = k0 ^ n0
S1 = k1 ^ n1
S2 = C1
S3 = C0
S4 = k0 ^ C0
S5 = k1 ^ C1

Repeat(4,
  Update(k0)
  Update(k1)
  Update(k0 ^ n0)
  Update(k1 ^ n1)
)

4.4. The Update Function

Update(M)

The Update function is the core of the AEGIS-256 algorithm. It updates the state {S0, ...S5} using a 128-bit value.

Inputs:

  • msg: the block to be absorbed.

Modifies:

  • {S0, ...S5}: the state.

Steps:

S'0 = AESRound(S5, S0 ^ M)
S'1 = AESRound(S0, S1)
S'2 = AESRound(S1, S2)
S'3 = AESRound(S2, S3)
S'4 = AESRound(S3, S4)
S'5 = AESRound(S4, S5)

S0  = S'0
S1  = S'1
S2  = S'2
S3  = S'3
S4  = S'4
S5  = S'5

4.5. The Enc Function

Enc(xi)

The Enc function encrypts a 128-bit input block xi using the state {S0, ...S5}.

Inputs:

  • xi: the encrypted input block.

Outputs:

  • ci: the decrypted block.

Steps:

z = S1 ^ S4 ^ S5 ^ (S2 & S3)

Update(xi)

ci = xi ^ z

4.6. The Dec Function

Dec(ci)

The Dec function decrypts a 128-bit input block ci using the state {S0, ...S5}.

Inputs:

  • ci: the encrypted input block.

Outputs:

  • xi: the decrypted block.

Steps:

z = S1 ^ S4 ^ S5 ^ (S2 & S3)

xi = ci ^ z

Update(xi)

It returns the 128-bit block out.

4.7. The DecPartial Function

DecPartial(cn)

The DecPartial function decrypts the last ciphertext bits cn using the state {S0, ...S5} when they do not fill an entire block.

Inputs:

  • cn: the encrypted input.

Outputs:

  • xn: the decryption of cn.

Steps:

z = S1 ^ S4 ^ S5 ^ (S2 & S3)

t = Pad(ci, 128)
out = t ^ z

xn = Truncate(out, |cn|)

v = Pad(xn, 128)
Update(v)

4.8. The Finalize Function

Finalize(ad_len, msg_len)

The Finalize function computes a 128-bit tag that authenticates the message and associated data.

Inputs:

  • ad_len: the length of the associated data in bits.
  • msg_len: the length of the message in bits.

Outputs:

  • tag: the authentication tag.

Steps:

t = S3 ^ (LE64(ad_len) || LE64(msg_len))

Repeat(7, Update(t))

tag = S0 ^ S1 ^ S2 ^ S3 ^ S4 ^ S5

5. Encoding (ct, tag) Tuples

Applications MAY keep the ciphertext and the 128-bit authentication tag in distinct structures or encode both as a single string.

In the latter case, the tag MUST immediately follow the ciphertext:

combined_ct = ct || tag

6. Security Considerations

Both algorithms MUST be used in a nonce-respecting setting: for a given key, a nonce MUST only be used once. Failure to do so would immediately reveal the bitwise difference between two messages.

If verification fails, the decrypted message and wrong message authentication tag SHOULD NOT be given as output.

Every key must be randomly chosen from a uniform distribution.

The nonce does not have to be secret nor unpredictable. It can be a counter, the output of a permutation, or a generator with a long period.

With AEGIS-128L, random nonces can safely encrypt up to 232 messages using the same key with negligible collision probability.

With AEGIS-256, random nonces can be used with no practical limits.

Under the assumption that the secret key is unknown to the attacker and the tag is not truncated, both AEGIS-128L and AEGIS-256 target 128-bit security against forgery attacks.

AEGIS-256 offers 256-bit message security against plaintext and state recovery. AEGIS-128L offers 128-bit security. They are both key-committing.

The security of AEGIS against timing attacks is limited by the implementation of the underlying AESRound() function. Failure to implement AESRound() in a fashion safe against side-channel attacks, such as differential power analysis or timing attacks, may lead to leakage of secret key material or state information. The exact mitigations required for side-channel attacks also depend on the threat model in question.

A security analysis of AEGIS can be found in Chapter 4 of [AEGIS].

7. IANA Considerations

IANA is requested to assign entries for AEAD_AEGIS128L and AEAD_AEGIS256 in the AEAD Registry with this document as reference.

8. References

8.1. Normative References

[FIPS-AES]
National Institute of Standards and Technology, "Advanced Encryption Standard (AES)", FIPS PUB 197, , <http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/rfc/rfc2119>.
[RFC5116]
McGrew, D., "An Interface and Algorithms for Authenticated Encryption", RFC 5116, DOI 10.17487/RFC5116, , <https://www.rfc-editor.org/rfc/rfc5116>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/rfc/rfc8174>.

8.2. Informative References

[AEGIS]
Wu, H. and B. Preneel, "AEGIS: A fast encryption algorithm (v1.1)", , <https://competitions.cr.yp.to/round3/aegisv11.pdf>.
[LGR21]
Len, J., Grubbs, P., and T. Ristenpart, "Partitioning Oracle Attacks", 30th USENIX Security Symposium (USENIX Security 21), , <https://www.usenix.org/conference/usenixsecurity21/presentation/len>.

Appendix A. Test Vectors

A.1. AESRound Test Vector

in   : 000102030405060708090a0b0c0d0e0f

rk   : 101112131415161718191a1b1c1d1e1f

out  : 7a7b4e5638782546a8c0477a3b813f43

A.2. AEGIS-128L Test Vectors

A.2.1. Update Test Vector

S0   : 9b7e60b24cc873ea894ecc07911049a3
S1   : 330be08f35300faa2ebf9a7b0d274658
S2   : 7bbd5bd2b049f7b9b515cf26fbe7756c
S3   : c35a00f55ea86c3886ec5e928f87db18
S4   : 9ebccafce87cab446396c4334592c91f
S5   : 58d83e31f256371e60fc6bb257114601
S6   : 1639b56ea322c88568a176585bc915de
S7   : 640818ffb57dc0fbc2e72ae93457e39a

M0   : 033e6975b94816879e42917650955aa0
M1   : 033e6975b94816879e42917650955aa0

After Update:
S0   : 596ab773e4433ca0127c73f60536769d
S1   : 790394041a3d26ab697bde865014652d
S2   : 38cf49e4b65248acd533041b64dd0611
S3   : 16d8e58748f437bfff1797f780337cee
S4   : 69761320f7dd738b281cc9f335ac2f5a
S5   : a21746bb193a569e331e1aa985d0d729
S6   : 09d714e6fcf9177a8ed1cde7e3d259a6
S7   : 61279ba73167f0ab76f0a11bf203bdff

A.2.2. Test Vector 1

key  : 00000000000000000000000000000000

nonce: 00000000000000000000000000000000

ad   :

msg  : 00000000000000000000000000000000

ct   : 41de9000a7b5e40e2d68bb64d99ebb19

tag  : f4d997cc9b94227ada4fe4165422b1c8

A.2.3. Test Vector 2

key  : 00000000000000000000000000000000

nonce: 00000000000000000000000000000000

ad   :

msg  :

ct   :

tag  : 83cc600dc4e3e7e62d4055826174f149

A.2.4. Test Vector 3

key  : 10010000000000000000000000000000

nonce: 10000200000000000000000000000000

ad   : 0001020304050607

msg  : 000102030405060708090a0b0c0d0e0f
       101112131415161718191a1b1c1d1e1f

ct   : 79d94593d8c2119d7e8fd9b8fc77845c
       5c077a05b2528b6ac54b563aed8efe84

tag  : cc6f3372f6aa1bb82388d695c3962d9a

A.2.5. Test Vector 4

key  : 10010000000000000000000000000000

nonce: 10000200000000000000000000000000

ad   : 0001020304050607

msg  : 000102030405060708090a0b0c0d

ct   : 79d94593d8c2119d7e8fd9b8fc77

tag  : 5c04b3dba849b2701effbe32c7f0fab7

A.3. AEGIS-256 Test Vectors

A.3.1. Update Test Vector

S0   : 1fa1207ed76c86f2c4bb40e8b395b43e
S1   : b44c375e6c1e1978db64bcd12e9e332f
S2   : 0dab84bfa9f0226432ff630f233d4e5b
S3   : d7ef65c9b93e8ee60c75161407b066e7
S4   : a760bb3da073fbd92bdc24734b1f56fb
S5   : a828a18d6a964497ac6e7e53c5f55c73

M    : b165617ed04ab738afb2612c6d18a1ec

After Update:
S0   : e6bc643bae82dfa3d991b1b323839dcd
S1   : 648578232ba0f2f0a3677f617dc052c3
S2   : ea788e0e572044a46059212dd007a789
S3   : 2f1498ae19b80da13fba698f088a8590
S4   : a54c2ee95e8c2a2c3dae2ec743ae6b86
S5   : a3240fceb68e32d5d114df1b5363ab67

A.3.2. Test Vector 1

key  : 00000000000000000000000000000000
       00000000000000000000000000000000

nonce: 00000000000000000000000000000000
       00000000000000000000000000000000

ad   :

msg  : 00000000000000000000000000000000

ct   : b98f03a947807713d75a4fff9fc277a6

tag  : 478f3b50dc478ef7d5cf2d0f7cc13180

A.3.3. Test Vector 2

key  : 00000000000000000000000000000000
       00000000000000000000000000000000

nonce: 00000000000000000000000000000000
       00000000000000000000000000000000

ad   :

msg  :

ct   :

tag  : f7a0878f68bd083e8065354071fc27c3

A.3.4. Test Vector 3

key  : 10010000000000000000000000000000
       00000000000000000000000000000000

nonce: 10000200000000000000000000000000
       00000000000000000000000000000000

ad   : 0001020304050607

msg  : 000102030405060708090a0b0c0d0e0f
       101112131415161718191a1b1c1d1e1f

ct   : f373079ed84b2709faee373584585d60
       accd191db310ef5d8b11833df9dec711

tag  : 8d86f91ee606e9ff26a01b64ccbdd91d

A.3.5. Test Vector 4

key  : 10010000000000000000000000000000
       00000000000000000000000000000000

nonce: 10000200000000000000000000000000
       00000000000000000000000000000000

ad   : 0001020304050607

msg  : 000102030405060708090a0b0c0d

ct   : d511a8bc62d306027fe2a3d86557

tag  : fac608ca370638a3cad5194544ec2d7f

Acknowledgments

TODO acknowledge

Authors' Addresses

Frank Denis
Fastly Inc.
Fabio Enrico Renzo Scotoni
Individual Contributor