Workgroup: Network Working Group Internet-Draft: draft-denis-aegis-aead-latest Published:

24 October 2021 Intended Status: Informational Expires: 27 April 2022 Author:

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 27 April 2022.¶

Copyright Notice

Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶

1. Introduction

This document describes the AEGIS-128L and AEGIS-256 authenticated encryption algorithms [AEGIS].¶

Both are constructed from the AES encryption round function [FIPS-AES].¶

• AEGIS-128L has a 128-bit key, a 128-bit nonce, a 1024 bit state, a 128-bit authentication tag, and processes 256-bit input blocks.¶
• AEGIS-256 has a 256-bit key, a 256-bit nonce, a 768-bit state, a 128-bit authentication tag, and processes 128-bit input blocks.¶

The AEGIS cipher family offers optimal performance on CPUs with hardware support for parallelizable AES block encryption.¶

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

3. Notation and Conventions

Primitives:¶

• |x|: the length of x in bits¶
• a ^ b: the bit-wise exclusive OR operation between a and b¶
• a & b: the bit-wise AND operation between a and b¶
• a || b: the concatenation of a and b¶
• LE64(x): the little-endian encoding of 64-bit integer x¶
• Pad(x, n): padding operation. Trailing zeros are concatenated to x until the total length is a multiple of n bits.¶
• Truncate(x, n): truncation operation. The first n bits of x are kept.¶
• Split(x, n): splitting operation. x is split into n-bit blocks.¶
• AESRound(a, b): the AES encryption round function. a is the 128-bit AES input block, b is the 128-bit round key¶
• Repeat(n, F): n sequential evaluations of the function F¶

AEGIS internal functions:¶

• Update(M0, M1): the state update function¶
• Init(k, iv): the initialization function¶
• Enc(xi): the 256-bit block encryption function¶
• Dec(ci): the 256-bit block decryption function¶
• Finalize(adlen, mlen): the authentication tag generation function¶

AES blocks:¶

• Si: the i-th 128-bit block of the current state¶
• S'i: the i-th 128-bit block of the next state¶
• C0: the 128-bit constant 0x000101020305080d1522375990e97962 as an AES block¶
• C1: the 128-bit constant 0xdb3d18556dc22ff12011314273b528dd as an AES block¶

Input and output values:¶

• k: the encryption key (128-bit for AEGIS-128L, 256-bit for AEGIS-256)¶
• iv: the public nonce (128-bit for AEGIS-128L, 256-bit for AEGIS-256)¶
• ad: the associated data¶
• m: the cleartext input¶
• c: the ciphertext¶
• tag: the 128-bit authentication tag¶

4. The AEGIS-128L Algorithm

AEGIS-128L has a 1024 bit state, made of eight 128-bit blocks.¶

Update(M0, M1)

S'0 = AESRound(S7, S0 ^ M0)
S'1 = AESRound(S0, S1);
S'2 = AESRound(S1, S2);
S'3 = AESRound(S2, S3);
S'4 = AESRound(S3, S4 ^ M1);
S'5 = AESRound(S4, S5);
S'6 = AESRound(S5, S6);
S'7 = AESRound(S6, S7);

S0  = S'0
S1  = S'1
S2  = S'2
S3  = S'3
S4  = S'4
S5  = S'5
S6  = S'6
S7  = S'7

Init(k, iv)

S0 = k ^ iv
S1 = C1
S2 = C0
S3 = C1
S4 = k ^ iv
S5 = k ^ C0
S6 = k ^ C1
S7 = k ^ C0

Repeat(10, Update(iv, k))

Enc(xi)

z0 = S6 ^ S1 ^ (S2 & S3)
z1 = S2 ^ S5 ^ (S6 & S7)

t0, t1 = Split(xi, 128)
out0 = t0 ^ z0
out1 = t1 ^ z1

Update(t0, t1)
ci = out0 || out1

Dec(ci)

z0 = S6 ^ S1 ^ (S2 & S3)
z1 = S2 ^ S5 ^ (S6 & S7)

t0, t1 = Split(ci, 128)
out0 = t0 ^ z0
out1 = t1 ^ z1

Update(out0, out1)
xi = out0 || out1

Finalize(adlen, mlen)

t = S2 ^ (LE64(adlen) || LE64(mlen))

Repeat(7, Update(t, t))

tag = S0 ^ S1 ^ S2 ^ S3 ^ S4 ^ S5 ^ S6

Encrypt(m, ad, k, iv)

Init(k, iv)

c = {}

ad_blocks = Split(Pad(ad, 256), 256)
for xi in ad_blocks:
    Enc(xi)

m_blocks = Split(Pad(m, 256), 256)
for xi in m_blocks:
    c = c || Enc(xi)

tag = Finalize(|ad|, |m|)

Decrypt(c, tag, ad, k, iv)

Init(k, iv)

m = {}

ad_blocks = Split(Pad(ad, 256), 256)
for xi in ad_blocks:
    Enc(xi)

c_blocks = Split(Pad(c, 256), 256)
for ci in c_blocks:
    m = m || Dec(ci)

m = Truncate(m, |c|)
expected_tag = Finalize(|ad|, |m|)

5. The AEGIS-256 Algorithm

AEGIS-256 has a 768 bit state, made of six 128-bit blocks.¶

Update(M)

S'0 = AESRound(S5, S0 ^ M)
S'1 = AESRound(S0, S1);
S'2 = AESRound(S1, S2);
S'3 = AESRound(S2, S3);
S'4 = AESRound(S3, S4);
S'5 = AESRound(S4, S5);

S0  = S'0
S1  = S'1
S2  = S'2
S3  = S'3
S4  = S'4
S5  = S'5

Init(k, iv)

k0, k1 = Split(k, 128)
iv0, iv1 = Split(iv, 128)

S0 = k0 ^ iv0
S1 = k1 ^ iv1
S2 = C1
S3 = C0
S4 = k0 ^ C0
S5 = k1 ^ C1

Repeat(4,
  Update(k0)
  Update(k1)
  Update(k0 ^ iv0)
  Update(k1 ^ iv1)
)

Enc(xi)

z = S1 ^ S4 ^ S5 ^ (S2 & S3)

ci = xi ^ z

Update(xi)

Dec(ci)

z = S1 ^ S4 ^ S5 ^ (S2 & S3)

xi = ci ^ z

Update(xi)

Finalize(adlen, mlen)

t = S3 ^ (LE64(adlen) || LE64(mlen))

Repeat(7, Update(t))

tag = S0 ^ S1 ^ S2 ^ S3 ^ S4 ^ S5

Encrypt(m, ad, k, iv)

Init(k, iv)

c = {}

ad_blocks = Split(Pad(ad, 128), 128)
for xi in ad_blocks:
    Enc(xi)

m_blocks = Split(Pad(m, 128), 128)
for xi in m_blocks:
    c = c || Enc(xi)

tag = Finalize(|ad|, |m|)

Decrypt(c, tag, ad, k, iv)

Init(k, iv)

m = {}

ad_blocks = Split(Pad(ad, 128), 128)
for xi in ad_blocks:
    Enc(xi)

c_blocks = Split(Pad(c, 128), 128)
for ci in c_blocks:
    m = m || Dec(ci)

m = Truncate(m, |c|)
expected_tag = Finalize(|ad|, |m|)

6. Encoding (c, tag) Tuples

Applications may keep the ciphertext and the 128-bit authentication tag in distinct structures, or encore both as a single string.¶

In the later case, the tag is expected to immediately follow the ciphertext:¶

combined_ciphertext = c || tag

7. Security Considerations

Both algorithms must be used in a nonce-respecting setting: for a given key k, a nonce must only be used once. Failure to do so would immediately reveal the bitwise difference between two messages.¶

The nonce iv doesn't have to be secret nor unpredictable. It can be a counter, the output of a permutation or a generator with a long period.¶

With AEGIS-128L, random nonces can safely encrypt up to 2^32 messages using the same key with negligible collision probability.¶

With AEGIS-256, random nonces can be used with no practical limits.¶

Under the assumption that the secret key is unknown to the attacker and the tag is not truncated, both AEGIS-128L and AEGIS-256 target 128-bit security against forgery attacks.¶

AEGIS-256 offers 256-bit message security against plaintext and state recovery. AEGIS-128L offers 128-bit security. They are both key-committing.¶

8. IANA Considerations

This document has no IANA actions.¶

9. Test Vectors

key  : 00000000000000000000000000000000

nonce: 00000000000000000000000000000000

ad   :

m    : 00000000000000000000000000000000

c    : 41de9000a7b5e40e2d68bb64d99ebb19

tag  : f4d997cc9b94227ada4fe4165422b1c8

key  : 00000000000000000000000000000000

nonce: 00000000000000000000000000000000

ad   :

m    :

c    :

tag  : 83cc600dc4e3e7e62d4055826174f149

key  : 10010000000000000000000000000000

nonce: 10000200000000000000000000000000

ad   : 0001020304050607

m    : 000102030405060708090a0b0c0d0e0f
       101112131415161718191a1b1c1d1e1f

c    : 79d94593d8c2119d7e8fd9b8fc77845c
       5c077a05b2528b6ac54b563aed8efe84

tag  : cc6f3372f6aa1bb82388d695c3962d9a

key  : 00000000000000000000000000000000
       00000000000000000000000000000000

nonce: 00000000000000000000000000000000
       00000000000000000000000000000000

ad   :

m    : 00000000000000000000000000000000

c    : b98f03a947807713d75a4fff9fc277a6

tag  : 478f3b50dc478ef7d5cf2d0f7cc13180

key  : 00000000000000000000000000000000
       00000000000000000000000000000000

nonce: 00000000000000000000000000000000
       00000000000000000000000000000000

ad   :

m    :

c    :

tag  : f7a0878f68bd083e8065354071fc27c3

key  : 10010000000000000000000000000000
       00000000000000000000000000000000

nonce: 10000200000000000000000000000000
       00000000000000000000000000000000

ad   : 0001020304050607

m    : 000102030405060708090a0b0c0d0e0f
       101112131415161718191a1b1c1d1e1f

c    : f373079ed84b2709faee373584585d60
       accd191db310ef5d8b11833df9dec711

tag  : 8d86f91ee606e9ff26a01b64ccbdd91d

Author's Address