This paper revisits the mu security of GCM, which remains to date the most widely used dedicated AE mode. We provide new concrete security bounds which improve upon previous work by adopting a refined parameterization of adversarial resources that highlights the impact on security of (1) nonce re-use across users and of (2) re-keying.
As one of the main applications, we give tight security bounds for the nonce-randomization mechanism adopted in the record protocol of TLS 1.3 as a mitigation of large-scale multi-user attacks. We provide tight security bounds that yield the first validation of this method. In particular, we solve the main open question of Bellare and Tackmann (CRYPTO '16), who only considered restricted attackers which do not attempt to violate integrity, and only gave non-tight bounds.
Category / Keywords: cryptographic protocols / Original Publication (with minor differences): ACM CCS 2018 Date: received 15 Oct 2018 Contact author: hviettung at gmail com Available format(s): PDF | BibTeX Citation Version: 20181022:122634 (All versions of this report) Short URL: ia.cr/2018/993