[Resource Topic] 2016/853: Stronger Security Variants of GCM-SIV

Welcome to the resource topic for 2016/853

Title:
Stronger Security Variants of GCM-SIV

Authors: Tetsu Iwata, Kazuhiko Minematsu

Abstract:

At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 2^{48} queries, where each query has one plaintext block. This shows the tightness of the security claim and does not contradict the provable security result. However, the original GCM resists the attack, and this poses a question of designing a variant of GCM-SIV that is secure against the attack. We present a minor variant of GCM-SIV, which we call GCM-SIV1, and discuss that GCM-SIV1 resists the attack, and it offers a security trade-off compared to GCM-SIV. As the main contribution of the paper, we explore a scheme with a stronger security bound. We present GCM-SIV2 which is obtained by running two instances of GCM-SIV1 in parallel and mixing them in a simple way. We show that it is secure up to 2^{85.3} query complexity, where the query complexity is measured in terms of the total number of blocks of the queries. Finally, we generalize this to show GCM-SIV$r$ by running r instances of GCM-SIV1 in parallel, where r\ge 3, and show that the scheme is secure up to 2^{128r/(r+1)} query complexity. The provable security results are obtained under the standard assumption that the blockcipher is a pseudorandom permutation.

ePrint: https://eprint.iacr.org/2016/853

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .