GCM Variants with Robust Initialization Vectors
Abstract
:1. Introduction
2. Preliminaries
3. Extended Mirror Theory
- must be acylic, i.e., has no graph cycles.
- for all paths in the graph , where .
- for all cycles with exactly one non-equation edge (the remaining edges are the equation edges) in the graph G, where .
- must be acylic, i.e., has no graph cycles.
- for all paths with an even length in the graph , where .
- for all cycles with an even length containing exactly one non-equation edge (the remaining edges are the equation edges) in the graph G, where .
4. GCM-RIV1
4.1. Specific Description of GCM-RIV1
Algorithm 1 The key generation algorithm: |
Input: a key parameter k Output: two keys return |
Algorithm 2 The encryption algorithm: |
Input: two keys , a nonce N, an associated datum A, and a plaintext M Output: a ciphertext C and a tag T return |
Algorithm 3 The decryption algorithm: |
Input: two keys , a nonce N, an associated datum A, a ciphertext C, and a tag T Output: a plaintext M or ⊥ if , return M else return ⊥ (INVALID) endif |
Algorithm 4 The leakage algorithm: |
Input: two keys , a nonce N, an associated datum A, a ciphertext C, and a tag T Output: a leaking invalid plaintext M or ⊤ if , return ⊤ else return M endif |
Algorithm 5 GHASH algorithm: |
Input: a key L, an associated datum A, and a plaintext M Output: a hash value h , , for to x do endfor return h |
Algorithm 6 CTR algorithm: |
Input: a key K, an initial vector V, and a plaintext M Output: a ciphertext C Partition M into , for to do endfor return |
4.2. Security of GCM-RIV1
- 1.
- Collisions occur between the outputs of the ϵ-AXU hash function .
- Bad1: () for any .
- Bad2: () for any .
- Bad3: () for any .
- 2.
- Collisions occur between the inputs or outputs of π.
- Bad4: for any , , and .
- Bad5: for any , .
- Bad6: for any , .
- 3.
- Collisions occur between the authentication tags.
- Bad7: for any .
5. GCM-RIV2
5.1. Specific Description of GCM-RIV2
Algorithm 7 The key generation algorithm: |
Input: a key parameter k Output: four keys return |
Algorithm 8 The encryption algorithm: |
Input: four keys , a nonce N, an associated datum A, and a plaintext M Output: a ciphertext C and a tag T return |
Algorithm 9 The decryption algorithm: |
Input: four keys , a nonce N, an associated datum A, a ciphertext C, and a tag T Output: a plaintext M or ⊥ if , return M else return ⊥ (INVALID) endif |
Algorithm 10 The leaking algorithm: |
Input: four keys , a nonce N, an associated datum A, a ciphertext C, and a tag T Output: a leaking invalid plaintext M or ⊤ if , return ⊤ else return M endif |
Algorithm 11 SoP-based CTR algorithm: |
Input: two keys , an initial vector V, a nonce N, and a plaintext M Output: a ciphertext C Partition M into , for to do endfor return |
5.2. Security of GCM-RIV2
- 1.
- The number of collisions from the outputs of the hash function is larger than .
- Bad1: or .
- Bad2: or .
- Bad3: or .
- 2.
- The number of collisions from the inputs of is larger than .
- Bad4: .
- 3.
- The number of collisions from the inputs of is larger than .
- Bad5: .
- 4.
- The number of collisions from the authentication tag is larger than .
- Bad6: .
- 5.
- The constraints of the extended mirror theory include the constraints of the SCTR mirror system (Bad7–Bad9) and the constraints of the the T mirror system (Bad10–Bad15).
- Bad7: There exist distinct such that and , where and , i.e., and (it implies ).
- Bad8: There exist distinct such that and , where and , i.e., and .
- Bad9: There exist distinct such that and , where and , i.e., (it implies ) and .
- Bad10: There exist distinct such that and , i.e., and .
- Bad11: There exist distinct such that and , i.e., and .
- Bad12: There exist distinct such that and , i.e., and .
- Bad13: There exist distinct such that and , i.e., and .
- Bad14: There exist distinct such that and , i.e., and .
- Bad15: There exist distinct such that and , i.e., and .
- 1.
- Bad1–Bad15 is the same as that of Definition 9.
- 2.
- Bad16: , , and .
- 3.
- Bad17: , , and .
- 4.
- Bad18: , , and .
6. Discussion and Conclusions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- McGrew, D.A.; Viega, J. The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In Progress in Cryptology—INDOCRYPT 2004, Proceedings of the 5th International Conference on Cryptology in India, Chennai, India, 20–22 December 2004; Canteaut, A., Viswanathan, K., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3348, pp. 343–355. [Google Scholar] [CrossRef]
- Viega, J.; McGrew, D.A. The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP). RFC 2005, 4106, 1–11. [Google Scholar] [CrossRef]
- Salowey, J.; Choudhury, A.; McGrew, D.A. AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC 2008, 5288, 1–8. [Google Scholar] [CrossRef]
- Rogaway, P.; Shrimpton, T. A Provable-Security Treatment of the Key-Wrap Problem. In Advances in Cryptology—EUROCRYPT 2006, Proceedings of the 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, 28 May–1 June 2006; Vaudenay, S., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4004, pp. 373–390. [Google Scholar] [CrossRef]
- Iwata, T.; Yasuda, K. HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption. In Fast Software Encryption, Proceedings of the 16th International Workshop, FSE 2009, Leuven, Belgium, 22–25 February 2009; Dunkelman, O., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5665, pp. 394–415. [Google Scholar] [CrossRef]
- Iwata, T.; Yasuda, K. BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption. In Selected Areas in Cryptography, Proceedings of the 16th Annual International Workshop, SAC 2009, Calgary, AL, Canada, 13–14 August 2009; Jacobson, M.J., Rijmen, V., Safavi-Naini, R., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5867, pp. 313–330. [Google Scholar] [CrossRef]
- Reyhanitabar, R.; Vaudenay, S.; Vizár, D. Misuse-Resistant Variants of the OMD Authenticated Encryption Mode. In Provable Security, Proceedings of the 8th International Conference, ProvSec 2014, Hong Kong, China, 9–10 October 2014; Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8782, pp. 55–70. [Google Scholar] [CrossRef]
- Gueron, S.; Lindell, Y. GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; Ray, I., Li, N., Kruegel, C., Eds.; ACM, Association for Computing Machinery: New York, NY, USA, 2015; pp. 109–119. [Google Scholar] [CrossRef]
- Gueron, S.; Langley, A.; Lindell, Y. AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption. RFC 2019, 8452, 1–42. [Google Scholar] [CrossRef]
- Iwata, T.; Minematsu, K. Stronger Security Variants of GCM-SIV. IACR Trans. Symmetric Cryptol. 2016, 2016, 134–157. [Google Scholar] [CrossRef]
- Kresmer, P.; Zeh, A. CCM-SIV: Single-PRF Nonce-Misuse-Resistant Authenticated Encryption. IACR Cryptol. ePrint Arch. 2019, 892, 1–29. [Google Scholar]
- Andreeva, E.; Bhati, A.S.; Vizár, D. Nonce-Misuse Security of the SAEF Authenticated Encryption Mode. In Selected Areas in Cryptography, Proceedings of the SAC 2020—27th International Conference, Halifax, NS, Canada (Virtual Event), 21–23 October 2020; Dunkelman, O., Jacobson, M.J., O’Flynn, C., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2020; Volume 12804, pp. 512–534. [Google Scholar] [CrossRef]
- Inoue, A.; Guo, C.; Minematsu, K. Nonce-misuse resilience of Romulus-N and GIFT-COFB. IET Inf. Secur. 2023, 17, 468–484. [Google Scholar] [CrossRef]
- Dutta, A.; Nandi, M.; Talnikar, S. Beyond Birthday Bound Secure MAC in Faulty Nonce Model. In Advances in Cryptology, Proceedings of the EUROCRYPT 2019—38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Part I, Darmstadt, Germany, 19–23 May 2019; Ishai, Y., Rijmen, V., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2019; Volume 11476, pp. 437–466. [Google Scholar] [CrossRef]
- Choi, W.; Lee, B.; Lee, J.; Lee, Y. Toward a Fully Secure Authenticated Encryption Scheme from a Pseudorandom Permutation. In Advances in Cryptology, Proceedings of the ASIACRYPT 2021—27th International Conference on the Theory and Application of Cryptology and Information Security, Part III, Singapore, 6–10 December 2021; Tibouchi, M., Wang, H., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2021; Volume 13092, pp. 407–434. [Google Scholar] [CrossRef]
- Andreeva, E.; Bogdanov, A.; Luykx, A.; Mennink, B.; Mouha, N.; Yasuda, K. How to Securely Release Unverified Plaintext in Authenticated Encryption. In Advances in Cryptology, Proceedings of the ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Part I, Kaoshiung, Taiwan, 7–11 December 2014; Sarkar, P., Iwata, T., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8873, pp. 105–125. [Google Scholar] [CrossRef]
- Datta, N.; Luykx, A.; Mennink, B.; Nandi, M. Understanding RUP Integrity of COLM. IACR Trans. Symmetric Cryptol. 2017, 2017, 143–161. [Google Scholar] [CrossRef]
- Zhang, P.; Wang, P.; Hu, H.; Cheng, C.; Kuai, W. INT-RUP Security of Checksum-Based Authenticated Encryption. In Provable Security, Proceedings of the 11th International Conference, ProvSec 2017, Xi’an, China, 23–25 October 2017; Okamoto, T., Yu, Y., Au, M.H., Li, Y., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2017; Volume 10592, pp. 147–166. [Google Scholar] [CrossRef]
- Imamura, K.; Minematsu, K.; Iwata, T. Integrity analysis of authenticated encryption based on stream ciphers. Int. J. Inf. Sec. 2018, 17, 493–511. [Google Scholar] [CrossRef]
- Chakraborti, A.; Datta, N.; Jha, A.; Mancillas-López, C.; Nandi, M.; Sasaki, Y. INT-RUP Secure Lightweight Parallel AE Modes. IACR Trans. Symmetric Cryptol. 2019, 2019, 81–118. [Google Scholar] [CrossRef]
- Ashur, T.; Dunkelman, O.; Luykx, A. Boosting Authenticated Encryption Robustness with Minimal Modifications. In Advances in Cryptology, Proceedings of the CRYPTO 2017—37th Annual International Cryptology Conference, Part III, Santa Barbara, CA, USA, 20–24 August 2017; Katz, J., Shacham, H., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2017; Volume 10403, pp. 3–33. [Google Scholar] [CrossRef]
- Datta, N.; Dutta, A.; Ghosh, S. INT-RUP Security of SAEB and TinyJAMBU. In Progress in Cryptology, Proceedings of the INDOCRYPT 2022—23rd International Conference on Cryptology in India, Kolkata, India, 11–14 December 2022; Isobe, T., Sarkar, S., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2022; Volume 13774, pp. 146–170. [Google Scholar] [CrossRef]
- Hoang, V.T.; Krovetz, T.; Rogaway, P. Robust Authenticated-Encryption AEZ and the Problem That It Solves. In Advances in Cryptology, Proceedings of the EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Part I, Sofia, Bulgaria, 26–30 April 2015; Oswald, E., Fischlin, M., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9056, pp. 15–44. [Google Scholar] [CrossRef]
- Badertscher, C.; Matt, C.; Maurer, U.; Rogaway, P.; Tackmann, B. Robust Authenticated Encryption and the Limits of Symmetric Cryptography. In Cryptography and Coding, Proceedings of the 15th IMA International Conference, IMACC 2015, Oxford, UK, 15–17 December 2015; Groth, J., Ed.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2015; Volume 9496, pp. 112–129. [Google Scholar] [CrossRef]
- Shrimpton, T.; Terashima, R.S. A Modular Framework for Building Variable-Input-Length Tweakable Ciphers. In Advances in Cryptology, Proceedings of the ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Part I, Bengaluru, India, 1–5 December 2013; Sako, K., Sarkar, P., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8269, pp. 405–423. [Google Scholar] [CrossRef]
- Barwell, G.; Page, D.; Stam, M. Rogue Decryption Failures: Reconciling AE Robustness Notions. In Cryptography and Coding, Proceedings of the 15th IMA International Conference, IMACC 2015, Oxford, UK, 15–17 December 2015; Groth, J., Ed.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2015; Volume 9496, pp. 94–111. [Google Scholar] [CrossRef]
- Abed, F.; Forler, C.; List, E.; Lucks, S.; Wenzel, J. RIV for Robust Authenticated Encryption. In Fast Software Encryption, Proceedings of the 23rd International Conference, FSE 2016, Bochum, Germany, 20–23 March 2016; Peyrin, T., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9783, pp. 23–42. [Google Scholar] [CrossRef]
- Patarin, J. The “Coefficients H” Technique. In Selected Areas in Cryptography, Proceedings of the 15th International Workshop, SAC 2008, Sackville, NB, Canada, 14–15 August 2008; Avanzi, R.M., Keliher, L., Sica, F., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5381, pp. 328–345. [Google Scholar] [CrossRef]
- Hoang, V.T.; Tessaro, S. Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security. In Advances in Cryptology, Proceedings of the CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2016; Robshaw, M., Katz, J., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9814, pp. 3–32. [Google Scholar] [CrossRef]
- Datta, N.; Dutta, A.; Dutta, K. Improved Security Bound of (E/D)WCDM. IACR Trans. Symmetric Cryptol. 2021, 2021, 138–176. [Google Scholar] [CrossRef]
- Mennink, B.; Neves, S. Encrypted Davies-Meyer and Its Dual: Towards Optimal Security Using Mirror Theory. In Advances in Cryptology, Proceedings of the CRYPTO 2017—37th Annual International Cryptology Conference, Part III, Santa Barbara, CA, USA, 20–24 August 2017; Katz, J., Shacham, H., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2017; Volume 10403, pp. 556–583. [Google Scholar] [CrossRef]
Scheme | # Key | # Block Cipher | # Hash | Inverse Free | Reference |
---|---|---|---|---|---|
GCM | 2 | m | 1 | Yes | [1] |
GCM-SIV1 | 2 | 1 | Yes | [10] | |
GCM-SIV2 | 6 | 2 | Yes | [10] | |
GCM-RUP | 4 | 2 | No | [21] | |
GCM-RIV1 | 2 | 2 | Yes | Section 4 | |
GCM-RIV2 | 4 | 2 | Yes | Section 5 | |
GCM | -bit | - | - | nAE | Low |
GCM-SIV1 | -bit | -bit | - | nAE | Medium |
GCM-SIV2 | -bit | -bit | - | nAE | Medium |
GCM-RUP | -bit | -bit | - | RUP | High |
GCM-RIV1 | -bit | -bit | -bit | SAE | Higher |
GCM-RIV2 | -bit | -bit | -bit 1 | SAE | Higher |
Symbol | Description | Symbol | Description |
---|---|---|---|
the key space | the nonce space | ||
the associated data space | the plaintext space | ||
the ciphertext space | the authentication tag space | ||
⊕ | the bitwise XOR | + | the addition modulo |
· | the multiplication modulo | the concatenation of strings | |
a set of all strings | a set of n-bit strings | ||
an n-bit permutation set | ↞ | uniform random sampling | |
a set of all functions from m-bit inputs to n-bit outputs | an adversary outputs 1 after interacting with the oracle O | ||
the probability of an event E | a set | ||
⊤ | a valid (success) symbol | ⊥ | a reject (failure) symbol |
the most significant bit | the least significant bit | ||
the number of elements in set X |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Zhang, P. GCM Variants with Robust Initialization Vectors. Mathematics 2023, 11, 4888. https://doi.org/10.3390/math11244888
Zhang P. GCM Variants with Robust Initialization Vectors. Mathematics. 2023; 11(24):4888. https://doi.org/10.3390/math11244888
Chicago/Turabian StyleZhang, Ping. 2023. "GCM Variants with Robust Initialization Vectors" Mathematics 11, no. 24: 4888. https://doi.org/10.3390/math11244888
APA StyleZhang, P. (2023). GCM Variants with Robust Initialization Vectors. Mathematics, 11(24), 4888. https://doi.org/10.3390/math11244888