Stronger Security Variants of GCM-SIV

At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 285.3 query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIVr by running r instances of GCM-SIV1 in parallel, where r ≥ 3, and show that the scheme is secure up to 2128r/(r+1) query complexity. The provable security results are obtained under the standard assumption that the blockcipher is a pseudorandom permutation.

[1]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[2]  John P. Steinberger,et al.  Tight Security Bounds for Key-Alternating Ciphers , 2014, EUROCRYPT.

[3]  Thomas Shrimpton,et al.  Tweakable Blockciphers with Beyond Birthday-Bound Security , 2012, IACR Cryptol. ePrint Arch..

[4]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[5]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[6]  John Black,et al.  CBC MACs for Arbitrary-Length Messages: The Three-Key Constructions , 2000, CRYPTO.

[7]  Bart Mennink,et al.  Improved Masking for Tweakable Blockciphers with Applications to Authenticated Encryption , 2016, IACR Cryptol. ePrint Arch..

[8]  Stefan Lucks,et al.  McOE: A Family of Almost Foolproof On-Line Authenticated Encryption Schemes , 2012, FSE.

[9]  Serge Vaudenay,et al.  Misuse-Resistant Variants of the OMD Authenticated Encryption Mode , 2014, ProvSec.

[10]  Phillip Rogaway,et al.  Robust Authenticated-Encryption AEZ and the Problem That It Solves , 2015, EUROCRYPT.

[11]  Bart Preneel,et al.  A MAC Mode for Lightweight Block Ciphers , 2016, FSE.

[12]  Palash Sarkar,et al.  On modes of operations of a block cipher for authentication and authenticated encryption , 2015, Cryptography and Communications.

[13]  Goutam Paul,et al.  Building Single-Key Beyond Birthday Bound Message Authentication Code , 2016 .

[14]  Thomas Shrimpton,et al.  A Modular Framework for Building Variable-Input-Length Tweakable Ciphers , 2013, ASIACRYPT.

[15]  Kan Yasuda,et al.  BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption , 2009, Selected Areas in Cryptography.

[16]  Ueli Maurer,et al.  Indistinguishability of Random Systems , 2002, EUROCRYPT.

[17]  Yehuda Lindell,et al.  GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte , 2015, CCS.

[18]  Abhijit Choudhury,et al.  AES Galois Counter Mode (GCM) Cipher Suites for TLS , 2008, RFC.

[19]  Stefan Lucks,et al.  RIV for Robust Authenticated Encryption , 2016, FSE.

[20]  Kan Yasuda,et al.  HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption , 2009, FSE.

[21]  Mihir Bellare,et al.  Improved Security Analyses for CBC MACs , 2005, CRYPTO.

[22]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode of Operation (Full Version) , 2004, IACR Cryptol. ePrint Arch..

[23]  Thomas Peyrin,et al.  Counter-in-Tweak: Authenticated Encryption Modes for Tweakable Block Ciphers , 2016, CRYPTO.

[24]  Kan Yasuda,et al.  A New Variant of PMAC: Beyond the Birthday Bound , 2011, CRYPTO.

[25]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[26]  A. Joux Authentication Failures in NIST version of GCM , 2006 .

[27]  Peng Wang,et al.  3kf9: Enhancing 3GPP-MAC beyond the Birthday Bound , 2012, ASIACRYPT.

[28]  Palash Sarkar,et al.  Modes of operations for encryption and authentication using stream ciphers supporting an initialisation vector , 2014, Cryptography and Communications.

[29]  Kan Yasuda,et al.  The Sum of CBC MACs Is a Secure PRF , 2010, CT-RSA.

[30]  Tetsu Iwata,et al.  GCM Security Bounds Reconsidered , 2015, FSE.

[31]  Juraj Somorovsky,et al.  Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS , 2016, WOOT.

[32]  Ueli Maurer,et al.  The Security of Many-Round Luby-Rackoff Pseudo-Random Permutations , 2003, EUROCRYPT.

[33]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.