GCM-SIV1.5: Optimal Tradeoff between GCM-SIV1 and GCM-SIV2

GCM-SIV2 is a nonce-based beyond-birthday-bound (BBB)-secure authenticated encryption (AE) mode introduced by Iwata and Minematsu at FSE 2017. However, it is built by combining two instances of GCM-SIV1 and needs eight keys, which increases the costs of hardware and software implementation. This pap...

Descripción completa

Detalles Bibliográficos
Autor principal: Zhang, Ping
Formato: Online Artículo Texto
Lenguaje:English
Publicado: MDPI 2023
Materias:
Article
Acceso en línea:https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9858559/
https://www.ncbi.nlm.nih.gov/pubmed/36673248
http://dx.doi.org/10.3390/e25010107
Descripción
Sumario:GCM-SIV2 is a nonce-based beyond-birthday-bound (BBB)-secure authenticated encryption (AE) mode introduced by Iwata and Minematsu at FSE 2017. However, it is built by combining two instances of GCM-SIV1 and needs eight keys, which increases the costs of hardware and software implementation. This paper aims to reduce these costs by optimizing components (such as key materials, hash calls, and block cipher calls) and proposes an optimal tradeoff between GCM-SIV1 and GCM-SIV2 called GCM-SIV1.5. Moreover, we introduce the faulty nonce setting to AE and prove the BBB security of GCM-SIV1.5 with graceful security degradation in the faulty nonce setting by mirror theory. Finally, we discuss advantages of GCM-SIV1.5.

Ejemplares similares