Paper 2018/136
Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds
Priyanka Bose, Viet Tung Hoang, and Stefano Tessaro
Abstract
This paper revisits the multi-user (mu) security of symmetric encryption, from the perspective of delivering an analysis of the AES-GCM-SIV AEAD scheme. Our end result shows that its mu security is comparable to that achieved in the single-user setting. In particular, even when instantiated with short keys (e.g., 128 bits), the security of AES-GCM-SIV is not impacted by the collisions of two user keys, as long as each individual nonce is not re-used by too many users. Our bounds also improve existing analyses in the single-user setting, in particular when messages of variable lengths are encrypted. We also validate security against a general class of key-derivation methods, including one that halves the complexity of the final proposal. As an intermediate step, we consider mu security in a setting where the data processed by every user is bounded, and where user keys are generated according to arbitrary, possibly correlated distributions. This viewpoint generalizes the currently adopted one in mu security, and can be used to analyze re-keying practices.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- A major revision of an IACR publication in EUROCRYPT 2018
- Keywords
- Multi-user securityAES-GCM-SIVauthenticated encryptionconcrete security
- Contact author(s)
- tvhoang @ cs fsu edu
- History
- 2022-01-19: revised
- 2018-02-07: received
- See all versions
- Short URL
- https://ia.cr/2018/136
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2018/136,
author = {Priyanka Bose and Viet Tung Hoang and Stefano Tessaro},
title = {Revisiting {AES}-{GCM}-{SIV}: Multi-user Security, Faster Key Derivation, and Better Bounds},
howpublished = {Cryptology {ePrint} Archive, Paper 2018/136},
year = {2018},
url = {https://eprint.iacr.org/2018/136}
}
