Paper 2017/168

AES-GCM-SIV: Specification and Analysis

Shay Gueron, Adam Langley, and Yehuda Lindell


In this paper, we describe and analyze the security of the AES-GCM-SIV mode of operation, as defined in the CFRG specification \cite{CFRG}. This mode differs from the original GCM-SIV mode that was designed in \cite{GL2015} in two main aspects. First, the CTR encryption uses a 127-bit pseudo-random counter instead of a 95-bit pseudo-random value concatenated with a 32-bit counter. This construction leads to improved security bounds when encrypting short messages. In addition, a new key derivation function is used for deriving a fresh set of keys for each nonce. This addition allows for encrypting up to $2^{50}$ messages with the same key, compared to the significant limitation of only $2^{32}$ messages that were allowed with GCM-SIV (which inherited this same limit from AES-GCM). As a result, the new construction is well suited for real world applications that need a nonce-misuse resistant Authenticated Encryption scheme. We explain the limitations of GCM-SIV, which motivate the new construction, prove the security properties of AES-GCM-SIV, and show how these properties support real usages. Implementations are publicly available in \cite{ShayGit}. We remark that AES-GCM-SIV is already integrated into Google's BoringSSL library \cite{BoringSSL}, and its deployment for ticket encryption in QUIC \cite{QUIC} is underway.

Available format(s)
Secret-key cryptography
Publication info
Preprint. MINOR revision.
modes of operationnonce-misuse resistancesecurity bounds
Contact author(s)
Yehuda Lindell @ biu ac il
2018-12-14: last of 4 revisions
2017-02-23: received
See all versions
Short URL
Creative Commons Attribution


      author = {Shay Gueron and Adam Langley and Yehuda Lindell},
      title = {AES-GCM-SIV: Specification and Analysis},
      howpublished = {Cryptology ePrint Archive, Paper 2017/168},
      year = {2017},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.