The AEGIS family of authenticated encryption algorithms

The AEGIS family of authenticated encryption algorithms Fastly Inc.

fde@00f.net

Individual Contributor

fabio@esse.ch

Individual Contributor

samuel-lucas6@pm.me

Crypto Forum Internet-Draft This document describes AEGIS-128L and AEGIS-256, two AES-based authenticated encryption algorithms designed for high-performance applications. This document is a product of the Crypto Forum Research Group (CFRG) in the IRTF. Discussion Venues Source for this draft and an issue tracker can be found at .

Introduction This document describes the AEGIS-128L and AEGIS-256 authenticated encryption with associated data (AEAD) algorithms , which were chosen as additional finalists for high-performance applications in the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR). Whilst AEGIS-128 was selected as a winner for this use case, AEGIS-128L has a better security margin alongside improved performance and AEGIS-256 uses a 256-bit key . All variants of AEGIS are constructed from the AES encryption round function . This document specifies:

AEGIS-128L, which has a 128-bit key, a 128-bit nonce, a 1024-bit state, a 128-bit authentication tag, and processes 256-bit input blocks.
AEGIS-256, which has a 256-bit key, a 256-bit nonce, a 768-bit state, a 128-bit authentication tag, and processes 128-bit input blocks.

The AEGIS cipher family offers performance that significantly exceeds that of AES-GCM with hardware support for parallelizable AES block encryption . Similarly, software implementations can also be faster, although to a lesser extent. Unlike with AES-GCM, nonces can be safely chosen at random with no practical limit when using AEGIS-256. AEGIS-128L also allows for more messages to be safely encrypted when using random nonces. With some existing AEAD schemes, such as AES-GCM, an attacker can generate a ciphertext that successfully decrypts under multiple different keys (a partitioning oracle attack) . This ability to craft a (ciphertext, authentication tag) pair that verifies under multiple keys significantly reduces the number of required interactions with the oracle in order to perform an exhaustive search, making it practical if the key space is small. For example, with password-based encryption, an attacker can guess a large number of passwords at a time by recursively submitting such a ciphertext to an oracle, which speeds up a password search by reducing it to a binary search. A key-committing AEAD scheme is more resistant against partitioning oracle attacks than non-committing AEAD schemes, making it significantly harder to find multiple keys that are valid for a given authentication tag. As of the time of writing, no research has been published claiming that AEGIS is not a key-committing AEAD scheme. Finally, unlike most other AES-based AEAD constructions, such as Rocca and Tiaoxin, leaking the state does not leak the key. Note that an earlier version of Hongjun Wu and Bart Preneel's paper introducing AEGIS specified AEGIS-128L and AEGIS-256 sporting differences with regards to the computation of the authentication tag and the number of rounds in Finalize() respectively. We follow the specification of that is current at the time of writing, which can be found in the References section of this document.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Primitives:

|x|: the length of x in bits.
a ^ b: the bitwise exclusive OR operation between a and b.
a & b: the bitwise AND operation between a and b.
a || b: the concatenation of a and b.
a mod b: the remainder of the Euclidean division between a as the dividend and b as the divisor.
LE64(x): the little-endian encoding of 64-bit integer x.
ZeroPad(x, n): padding operation. Trailing zeros are concatenated to x until the total length is a multiple of n bits.
Truncate(x, n): truncation operation. The first n bits of x are kept.
Split(x, n): splitting operation. x is split into n-bit blocks, ignoring partial blocks.
Tail(x, n): returns the last n bits of x.
AESRound(in, rk): a single round of the AES encryption round function, which is the composition of the SubBytes, ShiftRows, MixColums and AddRoundKey transformations, as defined in section 5 of . Here, in is the 128-bit AES input state, and rk is the 128-bit round key.
Repeat(n, F): n sequential evaluations of the function F.
CtEq(a, b): compares a and b in constant-time, returning True for an exact match, False otherwise.

AEGIS internal functions:

Update(M0, M1): the state update function.
Init(key, nonce): the initialization function.
Enc(xi): the input block encryption function.
Dec(ci): the input block decryption function.
DecPartial(cn): the input block decryption function for the last ciphertext bits when they do not fill an entire block.
Finalize(ad_len, msg_len): the authentication tag generation function.

Input blocks are 256 bits for AEGIS-128L and 128 bits for AEGIS-256. AES blocks:

Si: the i-th AES block of the current state.
S'i: the i-th AES block of the next state.
{Si, ...Sj}: the vector of the i-th AES block of the current state to the j-th block of the current state.
C0: the constant 0x000101020305080d1522375990e97962 as an AES block.
C1: the constant 0xdb3d18556dc22ff12011314273b528dd as an AES block.

AES blocks are always 128 bits in length. Input and output values:

key: the encryption key (128 bits for AEGIS-128L, 256 bits for AEGIS-256).
nonce: the public nonce (128 bits for AEGIS-128L, 256 bits for AEGIS-256).
ad: the associated data.
msg: the plaintext.
ct: the ciphertext.
tag: the authentication tag (128 bits).

The AEGIS-128L Algorithm AEGIS-128L has a 1024-bit state, made of eight 128-bit blocks {S0, ...S7}. The parameters for this algorithm, whose meaning is defined in are:

K_LEN (key length) is 16 octets (128 bits).
P_MAX (maximum length of the plaintext) is 2⁶¹ octets (2⁶⁴ bits).
A_MAX (maximum length of the associated data) is 2⁶¹ octets (2⁶⁴ bits).
N_MIN (minimum nonce length) = N_MAX (maximum nonce length) = 16 octets (128 bits).
C_MAX (maximum ciphertext length) = P_MAX + tag length = 2⁶¹ + 16 octets (2⁶⁴ + 128 bits).

Distinct associated data inputs, as described in shall be unambiguously encoded as a single input. It is up to the application to create a structure in the associated data input if needed.

Authenticated Encryption The Encrypt function encrypts a message and returns the ciphertext along with an authentication tag that verifies the authenticity of the message and associated data, if provided. Security:

For a given key, the nonce MUST NOT be reused under any circumstances; doing so allows an attacker to recover the internal state.
The key MUST be randomly chosen from a uniform distribution.

Inputs:

msg: the message to be encrypted (length MUST be less than P_MAX).
ad: the associated data to authenticate (length MUST be less than A_MAX).
key: the encryption key.
nonce: the public nonce.

Outputs:

ct: the ciphertext.
tag: the authentication tag.

Steps:

Authenticated Decryption The Decrypt function decrypts a ciphertext, verifies that the authentication tag is correct, and returns the message on success or an error if tag verification failed. Security:

If tag verification fails, the decrypted message and wrong message authentication tag MUST NOT be given as output. The decrypted message MUST be overwritten with zeros.
The comparison of the input tag with the expected_tag MUST be done in constant time.

Inputs:

ct: the ciphertext to be decrypted (length MUST be less than C_MAX).
tag: the authentication tag.
ad: the associated data to authenticate (length MUST be less than A_MAX).
key: the encryption key.
nonce: the public nonce.

Outputs:

Either the decrypted message msg, or an error indicating that the authentication tag is invalid for the given inputs.

Steps:

The Init Function The Init function constructs the initial state {S0, ...S7} using the given key and nonce. Inputs:

key: the encryption key.
nonce: the nonce.

Defines:

{S0, ...S7}: the initial state.

Steps:

The Update Function The Update function is the core of the AEGIS-128L algorithm. It updates the state {S0, ...S7} using two 128-bit values. Inputs:

M0: the first 128-bit block to be absorbed.
M1: the second 128-bit block to be absorbed.

Modifies:

{S0, ...S7}: the state.

Steps:

The Enc Function The Enc function encrypts a 256-bit input block xi using the state {S0, ...S7}. Inputs:

xi: the 256-bit input block.

Outputs:

ci: the 256-bit encrypted block.

Steps:

The Dec Function The Dec function decrypts a 256-bit input block ci using the state {S0, ...S7}. Inputs:

ci: the 256-bit encrypted block.

Outputs:

xi: the 256-bit decrypted block.

Steps:

The DecPartial Function The DecPartial function decrypts the last ciphertext bits cn using the state {S0, ...S7} when they do not fill an entire block. Inputs:

cn: the encrypted input.

Outputs:

xn: the decryption of cn.

Steps:

The Finalize Function The Finalize function computes a 128-bit tag that authenticates the message and associated data. Inputs:

ad_len: the length of the associated data in bits.
msg_len: the length of the message in bits.

Outputs:

tag: the authentication tag.

Steps:

The AEGIS-256 Algorithm AEGIS-256 has a 768-bit state, made of six 128-bit blocks {S0, ...S5}. The parameters for this algorithm, whose meaning is defined in are:

K_LEN (key length) is 32 octets (256 bits).
P_MAX (maximum length of the plaintext) is 2⁶¹ octets (2⁶⁴ bits).
A_MAX (maximum length of the associated data) is 2⁶¹ octets (2⁶⁴ bits).
N_MIN (minimum nonce length) = N_MAX (maximum nonce length) = 32 octets (256 bits).
C_MAX (maximum ciphertext length) = P_MAX + tag length = 2⁶¹ + 16 octets (2⁶⁴ + 128 bits).

Distinct associated data inputs, as described in shall be unambiguously encoded as a single input. It is up to the application to create a structure in the associated data input if needed.

For a given key, the nonce MUST NOT be reused under any circumstances; doing so allows an attacker to recover the internal state.
The key MUST be randomly chosen from a uniform distribution.

Inputs:

msg: the message to be encrypted (length MUST be less than P_MAX).
ad: the associated data to authenticate (length MUST be less than A_MAX).
key: the encryption key.
nonce: the public nonce.

Outputs:

ct: the ciphertext.
tag: the authentication tag.

Steps:

If tag verification fails, the decrypted message and wrong message authentication tag MUST NOT be given as output. The decrypted message MUST be overwritten with zeros.
The comparison of the input tag with the expected_tag MUST be done in constant time.

Inputs:

ct: the ciphertext to be decrypted (length MUST be less than C_MAX).
tag: the authentication tag.
ad: the associated data to authenticate (length MUST be less than A_MAX).
key: the encryption key.
nonce: the public nonce.

Outputs:

Either the decrypted message msg, or an error indicating that the authentication tag is invalid for the given inputs.

Steps:

The Init Function The Init function constructs the initial state {S0, ...S5} using the given key and nonce. Inputs:

key: the encryption key.
nonce: the nonce.

Defines:

{S0, ...S5}: the initial state.

Steps:

The Update Function The Update function is the core of the AEGIS-256 algorithm. It updates the state {S0, ...S5} using a 128-bit value. Inputs:

msg: the block to be absorbed.

Modifies:

{S0, ...S5}: the state.

Steps:

The Enc Function The Enc function encrypts a 128-bit input block xi using the state {S0, ...S5}. Inputs:

xi: the input block.

Outputs:

ci: the encrypted input block.

Steps:

The Dec Function The Dec function decrypts a 128-bit input block ci using the state {S0, ...S5}. Inputs:

ci: the encrypted input block.

Outputs:

xi: the decrypted block.

Steps: It returns the 128-bit block out.

The DecPartial Function The DecPartial function decrypts the last ciphertext bits cn using the state {S0, ...S5} when they do not fill an entire block. Inputs:

cn: the encrypted input.

Outputs:

xn: the decryption of cn.

Steps:

The Finalize Function The Finalize function computes a 128-bit tag that authenticates the message and associated data. Inputs:

ad_len: the length of the associated data in bits.
msg_len: the length of the message in bits.

Outputs:

tag: the authentication tag.

Steps:

Encoding (ct, tag) Tuples Applications MAY keep the ciphertext and the 128-bit authentication tag in distinct structures or encode both as a single string. In the latter case, the tag MUST immediately follow the ciphertext:

Security Considerations AEGIS-256 offers 256-bit message security against plaintext and state recovery, whereas AEGIS-128L offers 128-bit security. Both have a 128-bit authentication tag, which implies that a given tag may verify under multiple keys. However, assuming AEGIS is key-committing, finding equivalent keys is expected to be significantly more difficult than for authentication schemes based on polynomial evaluation, such as GCM and Poly1305. Under the assumption that the secret key is unknown to the attacker and the tag is not truncated, both AEGIS-128L and AEGIS-256 target 128-bit security against forgery attacks. Both algorithms MUST be used in a nonce-respecting setting: for a given key, a nonce MUST only be used once. Failure to do so would immediately reveal the bitwise difference between two messages. If tag verification fails, the decrypted message and wrong message authentication tag MUST NOT be given as output. As shown in the analysis of the (robustness of CAESAR candidates beyond their guarantees), even a partial leak of the plaintext without verification would facilitate chosen ciphertext attacks. Every key MUST be randomly chosen from a uniform distribution. The nonce MAY be public or predictable. It can be a counter, the output of a permutation, or a generator with a long period. With AEGIS-128L, random nonces can safely encrypt up to 2⁴⁸ messages using the same key with negligible collision probability. With AEGIS-256, random nonces can be used with no practical limits. The security of AEGIS against timing and physical attacks is limited by the implementation of the underlying AESRound() function. Failure to implement AESRound() in a fashion safe against timing and physical attacks, such as differential power analysis, timing analysis or fault injection attacks, may lead to leakage of secret key material or state information. The exact mitigations required for timing and physical attacks also depend on the threat model in question. Security analyses of AEGIS can be found in Chapter 4 of , in , in , in , and in .

IANA Considerations IANA has assigned the following identifiers in the AEAD Algorithms Registry: AEGIS entries in the AEAD Algorithms Registry

Algorithm Name	ID
`AEAD_AEGIS128L`	`32`
`AEAD_AEGIS256`	`33`

IANA has also assigned the following TLS cipher suites in the TLS Cipher Suite Registry: AEGIS entries in the TLS Cipher Suite Registry

Cipher Suite Name	Value
`TLS_AEGIS_256_SHA384`	`{0x13,0x06}`
`TLS_AEGIS_128L_SHA256`	`{0x13,0x07}`

IANA is requested to update the references of these entries to refer to the final version of this document.

References Normative References Advanced encryption standard (AES) National Institute of Standards and Technology

US Gaithersburg

Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. An Interface and Algorithms for Authenticated Encryption This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an application-independent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDS-TRACK] Informative References AEGIS: A fast encryption algorithm (v1.1) Nanyang Technological University KU Leuven Guess-and-Determine Attacks on AEGIS State Key Laboratory of Cryptology, Beijing State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences State Key Laboratory of Cryptology, Beijing The Computer Journal Weak Keys in Reduced AEGIS and Tiaoxin East China Normal University; University of Hyogo University of Hyogo; National Institute of Information and Communications Technology; PRESTO, Japan Science and Technology Agency University of Applied Sciences and Arts Northwestern Switzerland University of Hyogo IACR Transactions on Symmetric Cryptology, 2021(2), pp. 104–139 Partitioning Oracle Attacks Cornell Tech Cornell Tech Cornell Tech 30th USENIX Security Symposium (USENIX Security 21), pp. 195–212 Analyzing the Linear Keystream Biases in AEGIS Graz University of Technology Graz University of Technology Graz University of Technology IACR Transactions on Symmetric Cryptology, 2019(4), pp. 348–368 Can Caesar Beat Galois? Robustness of CAESAR Candidates against Nonce Reusing and High Data Complexity Attacks École Polytechnique Fédérale de Lausanne EPFL École Polytechnique Fédérale de Lausanne EPFL Applied Cryptography and Network Security. ACNS 2018. Lecture Notes in Computer Science, vol 10892, pp. 476–494 Linear Biases in AEGIS Keystream Agence nationale de la sécurité des systèmes d'information ANSSI Selected Areas in Cryptography. SAC 2014. Lecture Notes in Computer Science, vol 8781, pp. 290–305

Test Vectors

AESRound Test Vector

AEGIS-128L Test Vectors

Update Test Vector

Test Vector 1

Test Vector 2

Test Vector 3

Test Vector 4

Test Vector 5

Test Vector 6 This test MUST return a "verification failed" error.

Test Vector 7 This test MUST return a "verification failed" error.

Test Vector 8 This test MUST return a "verification failed" error.

Test Vector 9 This test MUST return a "verification failed" error.

AEGIS-256 Test Vectors

Update Test Vector

Test Vector 1

Test Vector 2

Test Vector 3

Test Vector 4

Test Vector 5

Test Vector 6 This test MUST return a "verification failed" error.

Test Vector 7 This test MUST return a "verification failed" error.

Test Vector 8 This test MUST return a "verification failed" error.

Test Vector 9 This test MUST return a "verification failed" error.

Acknowledgments The AEGIS authenticated encryption algorithm was invented by Hongjun Wu and Bart Preneel. The round function leverages the AES permutation invented by Joan Daemen and Vincent Rijmen. They also authored the Pelican MAC that partly motivated the design of the AEGIS MAC. We would like to thank Eric Lagergren and Daniel Bleichenbacher for catching a broken test vector and Daniel Bleichenbacher for many helpful suggestions.