In this paper, we describe and analyze the security of the AES-GCM-SIV mode of operation, as defined in the CFRG specification [10]. This mode differs from the original GCM-SIV mode that was designed in [11] in two main aspects. First, the CTR encryption uses a 127-bit pseudo-random counter instead of a 95-bit pseudo-random value concatenated with a 32-bit counter. This construction leads to improved security bounds when encrypting short messages. In addition, a new key derivation function is used for deriving a fresh set of keys for each nonce. This addition allows for encrypting up to 2 messages with the same key, compared to the significant limitation of only 2 messages that were allowed with GCM-SIV (which inherited this same limit from AES-GCM). As a result, the new construction is well suited for real world applications that need a nonce-misuse resistant Authenticated Encryption scheme. We explain the limitations of GCM-SIV, which motivate the new construction, prove the security properties of AES-GCM-SIV, and show how these properties support real usages. Implementations are publicly available in [8]. We remark that AES-GCM-SIV is already integrated into Google’s BoringSSL library [1] and is deployed for ticket encryption in QUIC [17]. Preamble for the July 2017 edition We would like to thank Tetsu Iwata and Yannick Seurin for alerting us to the fact that we had erroneously assumed that one of the terms in the security bounds of AES-GCM-SIV was dominated by another term. (Specifically, ′, the advantage of the adversary A′; see comments on pages 11 and 12 of the previous version of this paper). Thus, while the security proof was correct, the example concrete bounds were overly optimistic, most notably for very large messages. This July 2017 update fixes the concrete bounds that were given in the previous version, and some other small errors pointed out by Iwata & Seurin. Detailed proofs for the bounds appear in [12]. ? Supported by the BIU Center for Research in Applied Cryptography and Cyber Security in conjunction with the Israel National Cyber Bureau in the Prime Minister’s Office.
[1]
Yehuda Lindell,et al.
AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption
,
2019,
RFC.
[2]
Thomas Shrimpton,et al.
Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem
,
2006,
IACR Cryptol. ePrint Arch..
[3]
Mihir Bellare,et al.
Increasing the Lifetime of a Key: A Comparative Analysis of the Security of Re-keying Techniques
,
2000,
ASIACRYPT.
[4]
Yehuda Lindell,et al.
Better Bounds for Block Cipher Modes of Operation via Nonce-Based Key Derivation
,
2017,
IACR Cryptol. ePrint Arch..
[5]
Mihir Bellare,et al.
The Multi-user Security of Authenticated Encryption: AES-GCM in TLS 1.3
,
2016,
CRYPTO.
[6]
Suzuki Kazuhiro,et al.
Birthday Paradox for Multi-Collisions
,
2007
.
[7]
Yehuda Lindell,et al.
GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte
,
2015,
CCS.
[8]
A. J. Stam.
Distance between sampling with and without replacement
,
1978
.
[9]
Shay Gueron,et al.
The Advantage of Truncated Permutations
,
2016,
CSCML.
[10]
John Viega,et al.
The Security and Performance of the Galois/Counter Mode (GCM) of Operation
,
2004,
INDOCRYPT.