Paper 2017/708

Reconsidering the Security Bound of AES-GCM-SIV

Tetsu Iwata and Yannick Seurin

Abstract

We make a number of remarks about the AES-GCM-SIV nonce-misuse resistant authenticated encryption scheme currently considered for standardization by the Crypto Forum Research Group (CFRG). First, we point out that the security analysis proposed in the ePrint report 2017/168 is incorrect, leading to overly optimistic security claims. We correct the bound and re-assess the security guarantees offered by the scheme for various parameters. Second, we suggest a simple modification to the key derivation function which would improve the security of the scheme with virtually no efficiency penalty.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Published elsewhere. IACR Trans. Symmetric Cryptol. 2017(4)
Keywords
authenticated encryptionAEADGCM-SIVAES-GCM-SIVCAESAR competition
Contact author(s)
tetsu iwata @ nagoya-u jp
yannick seurin @ m4x org
History
2017-11-24: revised
2017-07-25: received
See all versions
Short URL
https://ia.cr/2017/708
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/708,
      author = {Tetsu Iwata and Yannick Seurin},
      title = {Reconsidering the Security Bound of AES-GCM-SIV},
      howpublished = {Cryptology ePrint Archive, Paper 2017/708},
      year = {2017},
      note = {\url{https://eprint.iacr.org/2017/708}},
      url = {https://eprint.iacr.org/2017/708}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.