Paper 2018/136

Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds

Priyanka Bose, Viet Tung Hoang, and Stefano Tessaro


This paper revisits the multi-user (mu) security of symmetric encryption, from the perspective of delivering an analysis of the AES-GCM-SIV AEAD scheme. Our end result shows that its mu security is comparable to that achieved in the single-user setting. In particular, even when instantiated with short keys (e.g., 128 bits), the security of AES-GCM-SIV is not impacted by the collisions of two user keys, as long as each individual nonce is not re-used by too many users. Our bounds also improve existing analyses in the single-user setting, in particular when messages of variable lengths are encrypted. We also validate security against a general class of key-derivation methods, including one that halves the complexity of the final proposal. As an intermediate step, we consider mu security in a setting where the data processed by every user is bounded, and where user keys are generated according to arbitrary, possibly correlated distributions. This viewpoint generalizes the currently adopted one in mu security, and can be used to analyze re-keying practices.

Available format(s)
Secret-key cryptography
Publication info
A major revision of an IACR publication in EUROCRYPT 2018
Multi-user securityAES-GCM-SIVauthenticated encryptionconcrete security
Contact author(s)
tvhoang @ cs fsu edu
2022-01-19: revised
2018-02-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Priyanka Bose and Viet Tung Hoang and Stefano Tessaro},
      title = {Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds},
      howpublished = {Cryptology ePrint Archive, Paper 2018/136},
      year = {2018},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.