Cryptology ePrint Archive: Report 2018/136

Revisiting AES-GCM-SIV: Multi-user Security, Faster Key Derivation, and Better Bounds

Priyanka Bose and Viet Tung Hoang and Stefano Tessaro

Abstract: This paper revisits the multi-user (mu) security of symmetric encryption, from the perspective of delivering an analysis of the AES-GCM-SIV AEAD scheme. Our end result shows that its mu security is comparable to that achieved in the single-user setting. In particular, even when instantiated with short keys (e.g., 128 bits), the security of AES-GCM-SIV is not impacted by the collisions of two user keys, as long as each individual nonce is not re-used by too many users. Our bounds also improve existing analyses in the single-user setting, in particular when messages of variable lengths are encrypted. We also validate security against a general class of key-derivation methods, including one that halves the complexity of the final proposal.

As an intermediate step, we consider mu security in a setting where the data processed by every user is bounded, and where user keys are generated according to arbitrary, possibly correlated distributions. This viewpoint generalizes the currently adopted one in mu security, and can be used to analyze re-keying practices.

Category / Keywords: secret-key cryptography / Multi-user security, AES-GCM-SIV, authenticated encryption, concrete security

Original Publication (with major differences): IACR-EUROCRYPT-2018

Date: received 5 Feb 2018

Contact author: priyanka at cs ucsb edu

Available format(s): PDF | BibTeX Citation

Version: 20180207:175748 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]