Cryptology ePrint Archive: Report 2017/168

AES-GCM-SIV: Specification and Analysis

Shay Gueron and Adam Langley and Yehuda Lindell

Abstract: In this paper, we describe and analyze the security of the AES-GCM-SIV mode of operation, as defined in the CFRG specification \cite{CFRG}. This mode differs from the original GCM-SIV mode that was designed in \cite{GL2015} in two main aspects. First, the CTR encryption uses a 127-bit pseudo-random counter instead of a 95-bit pseudo-random value concatenated with a 32-bit counter. This construction leads to improved security bounds when encrypting short messages. In addition, a new key derivation function is used for deriving a fresh set of keys for each nonce. This addition allows for encrypting up to $2^{50}$ messages with the same key, compared to the significant limitation of only $2^{32}$ messages that were allowed with GCM-SIV (which inherited this same limit from AES-GCM). As a result, the new construction is well suited for real world applications that need a nonce-misuse resistant Authenticated Encryption scheme. We explain the limitations of GCM-SIV, which motivate the new construction, prove the security properties of AES-GCM-SIV, and show how these properties support real usages. Implementations are publicly available in \cite{ShayGit}. We remark that AES-GCM-SIV is already integrated into Google's BoringSSL library \cite{BoringSSL}, and its deployment for ticket encryption in QUIC \cite{QUIC} is underway.

Category / Keywords: secret-key cryptography / modes of operation, nonce-misuse resistance, security bounds

Date: received 20 Feb 2017, last revised 22 Jul 2017

Contact author: Yehuda Lindell at biu ac il

Available format(s): PDF | BibTeX Citation

Version: 20170722:191555 (All versions of this report)

Short URL: ia.cr/2017/168

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]