]>
The AEGIS family of authenticated encryption algorithms
Fastly Inc.
fde@00f.net
Individual Contributor
fabio@esse.ch
Individual Contributor
samuellucas6@pm.me
InternetDraft
This document describes AEGIS128L and AEGIS256, two AESbased authenticated encryption algorithms designed for highperformance applications.
Discussion Venues
Source for this draft and an issue tracker can be found at
.
Introduction
This document describes the AEGIS128L and AEGIS256 authenticated encryption with associated data (AEAD) algorithms , a variant of which has been chosen as a winner in the Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR). All variants of AEGIS are constructed from the AES encryption round function . This document specifies:
 AEGIS128L, which has a 128bit key, a 128bit nonce, a 1024bit state, a 128bit authentication tag, and processes 256bit input blocks.
 AEGIS256, which has a 256bit key, a 256bit nonce, a 768bit state, a 128bit authentication tag, and processes 128bit input blocks.
With some existing AEAD schemes, an attacker can generate a ciphertext that successfully decrypts under multiple different keys (a partitioning oracle attack). This ability to craft a (ciphertext, authentication tag) pair that verifies under multiple keys significantly reduces the number of required interactions with the oracle in order to perform an exhaustive search, making it practical if the key space is small. One example for a small key space is passwordbased encryption: an attacker can guess a large number of passwords at a time by recursively submitting such a ciphertext to an oracle, which speeds up a password search by reducing it to a binary search.
While this may be mitigated by means of inserting a padding block in the aforementioned algorithms, this workaround comes with additional processing cost and must itself be carefully constructed to resist leaking information via timing. As a keycommitting AEAD scheme, the AEGIS cipher family is naturally more resistant against partitioning oracle attacks than noncommitting AEAD schemes, making it significantly harder to find multiple different keys that decrypt successfully.
Moreover, AEGIS is context committing, meaning different associated data for a (key, nonce) pair results in a different keystream for encryption, not just a different authentication tag. This provides some resistance against key reuse when encrypting data in different contexts.
Oftentimes, nonce space is another issue; randomly chosen nonces may be safe for only a very limited number of messages. Nonces may be safely chosen at random with no practical limit when using AEGIS256; this applies irrespective of the length of individual or total messages.
At the same time, the AEGIS cipher family offers optimal performance on CPUs with hardware support for parallelizable AES block encryption. Its performance exceeds that of AESGCM significantly while offering key commitment, context commitment, and increased safety when using random nonces.
Note that an earlier version of Hongjun Wu and Bart Preneel's paper introducing AEGIS specified AEGIS128L and AEGIS256 sporting differences with regards to the computation of the authentication tag and the number of rounds in Finalize(), respectively. We follow the specification of that is current at the time of writing; it may be found in the References section of this document.
Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 when, and only when, they
appear in all capitals, as shown here.
Primitives:

x: the length of x in bits.

a ^ b: the bitwise exclusive OR operation between a and b.

a & b: the bitwise AND operation between a and b.

a  b: the concatenation of a and b.

a mod b: the remainder of the Euclidean division between a as the dividend and b as the divisor.

LE64(x): the littleendian encoding of 64bit integer x.

Pad(x, n): padding operation. Trailing zeros are concatenated to x until the total length is a multiple of n bits.

Truncate(x, n): truncation operation. The first n bits of x are kept.

Split(x, n): splitting operation. x is split nbit blocks, ignoring partial blocks.

Tail(x, n): returns the last n bits of x.

AESRound(in, rk): a single round of the AES encryption round function, which is the composition of the SubBytes, ShiftRows, MixColums and AddRoundKey transformations, as defined in section 5 of . in is the 128bit AES input state, and rk is the 128bit round key.

Repeat(n, F): n sequential evaluations of the function F.
AEGIS internal functions:

Update(M0, M1): the state update function.

Init(key, nonce): the initialization function.

Enc(xi): the input block encryption function.

Dec(ci): the input block decryption function.

DecPartial(cn): the input block decryption function for the last ciphertext bits when they do not fill an entire block.

Finalize(ad_len, msg_len): the authentication tag generation function.
Input blocks are 256 bits for AEGIS128L and 128 bits for AEGIS256.
AES blocks:

Si: the ith AES block of the current state.

S'i: the ith AES block of the next state.

{Si, ...Sj}: the vector of the ith AES block of the current state to the jth block of the current state.

C0: the constant 0x000101020305080d1522375990e97962 as an AES block.

C1: the constant 0xdb3d18556dc22ff12011314273b528dd as an AES block.
AES blocks are always 128 bits in length.
Input and output values:

key: the encryption key (128 bits for AEGIS128L, 256 bits for AEGIS256).

nonce: the public nonce (128 bits for AEGIS128L, 256 bits for AEGIS256).

ad: the associated data.

msg: the plaintext.

ct: the ciphertext.

tag: the authentication tag (128 bits).
The AEGIS128L Algorithm
AEGIS128L has a 1024bit state, made of eight 128bit blocks {S0, ...S7}.
The parameters for this algorithm, whose meaning is defined in are:

K_LEN (key length) is 16 octets.

P_MAX (maximum length of the plaintext) is 2^{61} octets.

A_MAX (maximum length of the associated data) is 2^{61} octets.

N_MIN (minimum nonce length) = N_MAX (maximum nonce length) = 16 octets.

C_MAX (maximum ciphertext length) = P_MAX + tag length = 2^{61} + 16 octets.
Distinct associated data inputs, as described in shall be unambiguously encoded as a single input.
It is up to the application to create a structure in the associated data input if needed.
Authenticated Encryption
The Encrypt function encrypts a message and returns the ciphertext along with an authentication tag that verifies the authenticity of the message and associated data, if provided.
Inputs:

msg: the message to be encrypted.

ad: the associated data to authenticate.

key: the encryption key.

nonce: the public nonce.
Outputs:

ct: the ciphertext.

tag: the authentication tag.
Steps:
Authenticated Decryption
The Decrypt function decrypts a ciphertext, verifies that the authentication tag is correct, and returns the message on success or an error if tag verification failed.
Inputs:

ct: the ciphertext to be decrypted.

tag: the authentication tag.

ad: the associated data to authenticate.

key: the encryption key.

nonce: the public nonce.
Outputs:

msg: the message, or an error indicating that the authentication tag is invalid for the given inputs.
Steps:
The comparison of the input tag with the expected_tag SHOULD be done in constant time. If verification fails, the decrypted message and wrong message authentication tag MUST NOT be given as output.
The Init Function
The Init function constructs the initial state {S0, ...S7} using the given key and nonce.
Inputs:

key: the encryption key.

nonce: the nonce.
Defines:

{S0, ...S7}: the initial state.
Steps:
The Update Function
The Update function is the core of the AEGIS128L algorithm.
It updates the state {S0, ...S7} using two 128bit values.
Inputs:

M0: the first 128bit block to be absorbed.

M1: the second 128bit block to be absorbed.
Modifies:
Steps:
The Enc Function
The Enc function encrypts a 256bit input block xi using the state {S0, ...S7}.
Inputs:

xi: the 256bit input block.
Outputs:

ci: the 256bit encrypted block.
Steps:
The Dec Function
The Dec function decrypts a 256bit input block ci using the state {S0, ...S7}.
Inputs:

ci: the 256bit encrypted block.
Outputs:

xi: the 256bit decrypted block.
Steps:
The DecPartial Function
The DecPartial function decrypts the last ciphertext bits cn using the state {S0, ...S7} when they do not fill an entire block.
Inputs:
Outputs:

xn: the decryption of cn.
Steps:
The Finalize Function
The Finalize function computes a 128bit tag that authenticates the message and associated data.
Inputs:

ad_len: the length of the associated data in bits.

msg_len: the length of the message in bits.
Outputs:

tag: the authentication tag.
Steps:
The AEGIS256 Algorithm
AEGIS256 has a 768bit state, made of six 128bit blocks {S0, ...S5}.
The parameters for this algorithm, whose meaning is defined in are:

K_LEN (key length) is 32 octets.

P_MAX (maximum length of the plaintext) is 2^{61} octets.

A_MAX (maximum length of the associated data) is 2^{61} octets.

N_MIN (minimum nonce length) = N_MAX (maximum nonce length) = 32 octets.

C_MAX (maximum ciphertext length) = P_MAX + tag length = 2^{61} + 16 octets.
Distinct associated data inputs, as described in shall be unambiguously encoded as a single input.
It is up to the application to create a structure in the associated data input if needed.
Authenticated Encryption
The Encrypt function encrypts a message and returns the ciphertext along with an authentication tag that verifies the authenticity of the message and associated data, if provided.
Inputs:

msg: the message to be encrypted.

ad: the associated data to authenticate.

key: the encryption key.

nonce: the public nonce.
Outputs:

ct: the ciphertext.

tag: the authentication tag.
Steps:
Authenticated Decryption
The Decrypt function decrypts a ciphertext, verifies that the authentication tag is correct, and returns the message on success or an error if tag verification failed.
Inputs:

ct: the ciphertext to be decrypted.

tag: the authentication tag.

ad: the associated data to authenticate.

key: the encryption key.

nonce: the public nonce.
Outputs:

msg: the message, or an error indicating that the authentication tag is invalid for the given inputs.
Steps:
The comparison of the input tag with the expected_tag SHOULD be done in constant time. If verification fails, the decrypted message and wrong message authentication tag MUST NOT be given as output.
The Init Function
The Init function constructs the initial state {S0, ...S5} using the given key and nonce.
Inputs:

key: the encryption key.

nonce: the nonce.
Defines:

{S0, ...S5}: the initial state.
Steps:
The Update Function
The Update function is the core of the AEGIS256 algorithm.
It updates the state {S0, ...S5} using a 128bit value.
Inputs:

msg: the block to be absorbed.
Modifies:
Steps:
The Enc Function
The Enc function encrypts a 128bit input block xi using the state {S0, ...S5}.
Inputs:
Outputs:

ci: the encrypted input block.
Steps:
The Dec Function
The Dec function decrypts a 128bit input block ci using the state {S0, ...S5}.
Inputs:

ci: the encrypted input block.
Outputs:
Steps:
It returns the 128bit block out.
The DecPartial Function
The DecPartial function decrypts the last ciphertext bits cn using the state {S0, ...S5} when they do not fill an entire block.
Inputs:
Outputs:

xn: the decryption of cn.
Steps:
The Finalize Function
The Finalize function computes a 128bit tag that authenticates the message and associated data.
Inputs:

ad_len: the length of the associated data in bits.

msg_len: the length of the message in bits.
Outputs:

tag: the authentication tag.
Steps:
Encoding (ct, tag) Tuples
Applications MAY keep the ciphertext and the 128bit authentication tag in distinct structures or encode both as a single string.
In the latter case, the tag MUST immediately follow the ciphertext:
Security Considerations
AEGIS256 offers 256bit message security against plaintext and state recovery. AEGIS128L offers 128bit security. They are both keycommitting and contextcommitting, the implications of which are outlined in the introduction. However, neither is compactlycommitting because a 128bit tag is too short to be collision resistant. This means it is still possible for a ciphertext to be successfully decrypted under multiple different keys, just significantly more difficult than for AEAD schemes lacking key commitment.
Under the assumption that the secret key is unknown to the attacker and the tag is not truncated, both AEGIS128L and AEGIS256 target 128bit security against forgery attacks.
Both algorithms MUST be used in a noncerespecting setting: for a given key, a nonce MUST only be used once. Failure to do so would immediately reveal the bitwise difference between two messages.
If verification fails, the decrypted message and wrong message authentication tag MUST NOT be given as output. As shown in the analysis of the (robustness of CAESAR candidates beyond their guarantees), even a partial leak of the plaintext without verification would facilitate chosen ciphertext attacks.
Every key MUST be randomly chosen from a uniform distribution.
The nonce MAY be public or predictable. It can be a counter, the output of a permutation, or a generator with a long period.
With AEGIS128L, random nonces can safely encrypt up to 2^{32} messages using the same key with negligible collision probability.
With AEGIS256, random nonces can be used with no practical limits.
The security of AEGIS against timing attacks is limited by the implementation of the underlying AESRound() function. Failure to implement AESRound() in a fashion safe against sidechannel attacks, such as differential power analysis or timing attacks, may lead to leakage of secret key material or state information. The exact mitigations required for sidechannel attacks also depend on the threat model in question.
A security analysis of AEGIS can be found in Chapter 4 of .
IANA Considerations
IANA is requested to assign entries for AEAD_AEGIS128L and AEAD_AEGIS256 in the AEAD Registry with this document as reference.
References
Normative References
Advanced Encryption Standard (AES)
National Institute of Standards and Technology
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
An Interface and Algorithms for Authenticated Encryption
This document defines algorithms for Authenticated Encryption with Associated Data (AEAD), and defines a uniform interface and a registry for such algorithms. The interface and registry can be used as an applicationindependent set of cryptoalgorithm suites. This approach provides advantages in efficiency and security, and promotes the reuse of crypto implementations. [STANDARDSTRACK]
Informative References
AEGIS: A fast encryption algorithm (v1.1)
Nanyang Technological University
KU Leuven
Partitioning Oracle Attacks
Cornell Tech
Cornell Tech
Cornell Tech
30th USENIX Security Symposium (USENIX Security 21)
Under Pressure: Security of Caesar Candidates beyond their Guarantees
EPFL, Switzerland
EPFL, Switzerland
Acknowledgments
The AEGIS authenticated encryption algorithm was invented by Hongjun Wu and Bart Preneel.
The round function leverages the AES permutation invented by Joan Daemen and Vincent Rijmen. They also authored the Pelican MAC that partly motivated the design of the AEGIS MAC.
We would like to thank Eric Lagergren and Daniel Bleichenbacher for catching a broken test vector and Daniel Bleichenbacher for many helpful suggestions.