In this paper, we present a new fully nonce misuse-resistant authenticated encryption scheme that is based on carefully combining the GCM building blocks into the SIV paradigm of Rogaway and Shrimpton. We provide a full proof of security of our scheme, and an optimized implementation using the AES-NI and PCLMULQDQ instruction sets. We compare our performance to the highly optimized OpenSSL 1.0.2 implementation of GCM and show that our \emph{nonce misuse-resistant} scheme is only 14\% slower on Haswell architecture and 19\% slower on Broadwell architecture. On Broadwell, GCM-SIV encryption takes only {\em 0.92 cycles per byte}, and GCM-SIV decryption is exactly the same as GCM decryption taking only 0.77 cycles per byte. In addition, we compare to other optimized authenticated-encryption implementations carried out by Bogdanov et al., and conclude that our mode is very competitive. Beyond being very fast, our new mode of operation uses the same building blocks as GCM and so existing hardware and software can be utilized to easily deploy GCM-SIV. We conclude that GCM-SIV is a viable alternative to GCM, providing full nonce misuse-resistance at little cost.
Category / Keywords: secret-key cryptography / modes of operation, authenticated encryption, nonce misuse resistance Original Publication (with minor differences): ACM CCS 2015 Date: received 11 Feb 2015, last revised 16 Jul 2017 Contact author: lindell at biu ac il Available format(s): PDF | BibTeX Citation Note: A small typo has been corrected in this revision. Version: 20170716:124117 (All versions of this report) Short URL: ia.cr/2015/102