Year-end Sale % OFF 
Abstract
We make a number of remarks about the AES-GCM-SIV nonce-misuse resistant authenticated encryption scheme currently considered for standardization by the Crypto Forum Research Group (CFRG). First, we point out that the security analysis proposed in the ePrint report 2017/168 is incorrect, leading to overly optimistic security claims. We correct the bound and re-assess the security guarantees offered by the scheme for various parameters. Second, we suggest a simple modification to the key derivation function which would improve the security of the scheme with virtually no efficiency penalty.
Highlights
[GLL17] which are serious enough to make the final security bound derived for AES-GCM-SIV in [GLL17] essentially unusable
In order to fix the situation and correctly gauge AES-GCM-SIV’s security, we present a corrected security proof and turn to the task of interpreting this bound for concrete parameters
Gueron et al [GLL17] claimed that the security bound of AES-GCM-SIV is dominated by where n is the block length of the underlying block cipher, Q is the number of distinct nonces used throughout encryption queries, R is the maximal number of repetitions of any nonce in encryption queries, and the maximum message length is 2k − 1 blocks
Summary
In order to fix the situation and correctly gauge AES-GCM-SIV’s security, we present a corrected security proof and turn to the task of interpreting this bound for concrete parameters Based on their result, Gueron et al [GLL17] claimed that the security bound of AES-GCM-SIV is dominated by QR2. One might be tempted to argue that attacks against the counter encryption mode based on distinguishing the underlying block cipher from a random function through (the absence of) collisions in outputs is much less dangerous than collisions in counters which immediately reveal the xor of two plaintext blocks This is a very dubious and dangerous reasoning, as shown by the following textbook example [Jou, Sect. These two ePrint reports were updated after we sent a preliminary version of this paper to the authors on July 7, 2017
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
