Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 9715947, 12 pages
https://doi.org/10.1155/2018/9715947
Research Article

Close to Optimally Secure Variants of GCM

1Key Laboratory of Electromagnetic Space Information, CAS, University of Science and Technology of China, Hefei 230027, China
2School of Economics and Management, Southeast University, Nanjing 211189, China

Correspondence should be addressed to Ping Zhang; nc.ude.ctsu.liam@pgz

Received 21 August 2017; Revised 5 December 2017; Accepted 16 January 2018; Published 6 March 2018

Academic Editor: Kamal D. Singh

Copyright © 2018 Ping Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

The Galois/Counter Mode of operation (GCM) is a widely used nonce-based authenticated encryption with associated data mode which provides the birthday-bound security in the nonce-respecting scenario; that is, it is secure up to about adversarial queries if all nonces used in the encryption oracle are never repeated, where is the block size. It is an open problem to analyze whether GCM security can be improved by using some simple operations. This paper presents a positive response for this problem. Firstly, we introduce two close to optimally secure pseudorandom functions and derive their security bound by the hybrid technique. Then, we utilize these pseudorandom functions that we design and a universal hash function to construct two improved versions of GCM, called OGCM-1 and OGCM-2. OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately and adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation. Finally, we discuss the properties of OGCM-1 and OGCM-2 and describe the future works.

1. Introduction

Authenticated Encryption. An authenticated encryption (AE) mode is a cryptographic scheme which guarantees privacy and authenticity of the message concurrently. So far, a large number of AE schemes have emerged. Particularly, the CAESAR competition that started in 2012 promotes enormously the development of AE schemes. AE has been widely applied to many environments. According to the application requirements classification, this includes AE with associated data (AEAD) [1, 2], parallelizable AE [35], online AE [69], tweakable AE [914], deterministic AE [10, 15, 16], wide block AE [17], XOR-based AE [18], and dedicated AE algorithms [19]. According to the design approaches classification, this includes generic composed AE [20], block cipher-based AE [36, 21], stream-cipher-based AE [18, 22], permutation-based AE [2326], keyed-function-based AE [27, 28], tweakable block cipher-based AE [914], and hybrid AE [17, 19, 29].

Birthday-Bound Security and Beyond-Birthday-Bound Security. Most AE modes, such as [6, 7, 9, 20, 21, 26], just offer birthday-bound security; that is, they are secure up to roughly adversarial queries, where is the block size. The currently utilized block cipher is AES (the block size ). If AES is used in the block cipher modes of operation, 128-bit security degrades into at most about 64-bit security, which is unacceptable in some special environments. Therefore, it is vitally important to design AE modes that ensure beyond-birthday-bound (BBB) security. The so-called BBB security means that an AE mode is provably secure up to approximately adversarial queries, where is an integer. If an AE mode is provably secure up to roughly adversarial queries, we say that it provides optimal security. In order to achieve a stronger security (BBB security or optimal security), AE modes usually compromise the efficiency of the hardware and software implementation. For example, we often utilize multiple block ciphers or their sum to construct a BBB-secure pseudorandom function. The higher the number of invoking the underlying block cipher, the greater the cost. Therefore, the efficiency of BBB-secure AE modes is generally low. In recent years, AE modes that ensure BBB security appeared endless, such as [1012, 2224, 3032].

Problem Statement. The Galois/Counter Mode of operation (GCM) [33] designed by McGrew and Viega is a nonce-based AEAD scheme. GCM combines the counter mode used in the encryption part and the polynomial hash function used in the authentication part and is included in the block cipher AE modes of operation recommended by NIST. Its security depends on the nonce-respecting setting that all nonces used in the encryption queries are distinct. Iwata et al. [34] pointed out that the previous claimed security was flawed and presented a new provable security, which was later improved by Niwa et al. [35]. GCM retains birthday-bound security and has better security bounds for 96-bit nonces. For the attacks of GCM, Saarinen showed weak keys of GHASH and the cycling attacks on GCM in [36]. Other researches related to GCM include [3744]. GCM has been widely applied in the IEEE 802.1AE Ethernet security, IEEE 802.11ad, IETF IPsec standards, SSH, TLS, and so on. GCM is proven to be secure up to roughly adversarial queries in the nonce-respecting scenario, assuming that the underlying block cipher is a secure pseudorandom permutation. In other words, for AES-GCM, its security guarantee is lost after at most only adversarial queries, which is not sufficiently secure in some special settings. Therefore, in this paper, we consider the question of whether we can design a scheme that provides better security (such as BBB security or optimal security) to improve the security guarantee of GCM.

Our Contributions. This paper gives a positive response for the above question. We first introduce a basic tool: close to optimally secure pseudorandom functions (PRFs) which are, respectively, designed by the Encrypted Davies-Meyer (EDM) [45] and EDM Dual (EDMD) [46] constructions. Then we construct two improved versions of GCM, called OGCM-1 and OGCM-2, which are parallelizable nonce-based close to optimally secure AEAD modes. OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately and adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation (PRP). In fact, they are based on the “Encryption-then-MAC” approach, where the encryption part utilizes a multi-EDM or multi-EDMD function to set up a close to optimally secure key-stream generator and then the MAC part combines an EDM or EDMD construction and an almost-XOR-universal (AXU) hash function to generate an authentication tag.

OGCM-1 and OGCM-2 balance the security and the efficiency of the software and hardware implementation. Take AES-OGCM-1 or AES-OGCM-2 as an example; that is, the underlying block cipher is instantiated with AES. First, from the point of view of security, they achieve at most about 107.9565-bit or 121.9339-bit security which is better than that of AES-GCM (at most about 64-bit security). In the nonce-respecting scenario, they can encrypt at most plaintexts (as the nonce length is 96 bits) and the maximum block length of each plaintext is about blocks (64 GBytes). Second, from the point of view of efficiency, they invoke block ciphers and finite-field multiplications, where is the number of the plaintext blocks and is the number of the associated data blocks. Compared with AES-GCM, the efficiency is about half of it. Therefore, AES-OGCM-1 and AES-OGCM-2 sacrifice the efficiency of the software and hardware implementation to achieve a strong security. The comparisons among AES-GCM, AES-OGCM-1, and AES-OGCM-2 are shown in Table 1.

Table 1: Comparisons among AES-GCM [34], AES-OGCM-1, and AES-OGCM-2. The nonce length is restricted to 96 bits. “n.r.” denotes nonce-respecting. “” means can be reduced to . Let be the block length of the plaintext and be the block length of associated data.

Organizations of This Paper. Some preliminaries are presented in Section 2. A basic tool is provided in Section 3. OGCM-1 is described in Section 4. Security results of OGCM-1 are derived in Section 5. OGCM-2 and its security are shown in Section 6. Section 7 describes some discussions and future works. Finally, we end up with a conclusion in Section 8.

2. Preliminaries

Notations. Let be the set containing all finite strings (including an empty string ). For a finite string ,   stands for its length in bits and means the length of -bit blocks for any integer , where denotes the operation that rounds up from a floating-point number to an integer. The -bit zero string is written as . For two finite strings and , let or be the concatenation of them. If and are two equal-length strings, let denote the XOR of them. For a finite string with , let be the most significant -bit of . Given two positive integers and such that , let be the -bit binary representation of . Let be the function for increment which takes an -bit input and returns an incremented value mod . For , denotes that is incremented times. For a finite set , let denote the value randomly drawn from and let denote the number of elements in . Let be a set of all integers from to ; that is, . Let be an event that an adversary outputs 1 after interacting with the oracle .

Block Ciphers and Keyed Functions. A block cipher is a mapping , which takes a key and a plaintext as input and returns a ciphertext . For any fixed , is an -bit permutation and its inverse is written as . Let be a set of all -bit permutations. Suppose that is an adversary which has access to an encryption oracle. Let and ; then the PRP-advantage of against is defined as where the probabilities are taken over the random choices of and and also over internal coins of , if any. If is negligible, the underlying block cipher is a secure pseudorandom permutation (PRP).

A keyed function is a mapping , which takes a key and a plaintext as input and returns a ciphertext . For any fixed , is a function from to . Let be a set of all functions from to . If , we write . Suppose that is an adversary which has access to an encryption oracle. Let and ; then the PRF-advantage of against is defined as where the probabilities are taken over the random choices of and and also over internal coins of , if any. If is negligible, the underlying keyed function is a secure pseudorandom function (PRF).

If the resources owned by all adversaries are at most , the maximum advantage is defined as , where includes the running time , the total number of oracle queries , the maximum block length , and the total number of blocks in all queries (query complexity) .

Universal Hash Functions. Let ; a keyed hash function is a mapping which takes a key and a message as input and returns an output . We say is an -almost-XOR-universal (-AXU) hash function, if, for any and ,   and, for any two distinct and ,  . If , is called an uniform AXU (-AXU for short) hash function.

Finite Field. Given a basis, the finite field can be seen as the set . For an -bit string , we can define a polynomial by , where for any . Hence, any integer between 0 and can also be viewed as a polynomial with binary coefficients of degree at most . For example, 2 corresponds to , 3 corresponds to , and 7 corresponds to . The addition in the field is the addition of polynomials over . We denote this operation by bitwise XOR, that is, , where . In order to define the multiplication operation over , we need to introduce an irreducible polynomial of degree over . For ,  . The multiplication of two elements and is defined as the corresponding polynomial multiplication over reduced modulo , that is mod .

Authenticated Encryption. A conventional nonce-based authenticated encryption with associated data (AEAD) scheme consists of an encryption algorithm and a decryption algorithm ; that is, where is a key, is a nonce, is associated data, , is a plaintext, , is a ciphertext, , is a tag, , and is an error symbol which indicates the failure of the decryption oracle. iff . A secure AEAD scheme returns if it receives an error pair. If there is no associated data, is seen as an empty string.

3. Basic Tool: Close to Optimally Secure PRFs

3.1. Multi-Encrypted-Davies-Meyer (Multi-EDM) Function

In this section, we set up a new function which is constructed from the EDM construction [45].

Assuming that and are two independent and random permutations on -bit, we define a function as , where for , and . Note that we must ensure .

We have the following theorem for information-theoretic security of the function .

Theorem 1. Let be an adversary with access to the function . Let be any threshold. Assuming that makes at most oracle queries, generating at most blocks, then the PRF-advantage of against is upper-bounded by

The result of Theorem 1 shows that constructed by and achieves BBB security. If and , then the PRF-advantage of against is upper-bounded by , which means that is a provably BBB-secure PRF up to approximately adversarial queries. If and , then the PRF-advantage of against is upper-bounded by , which means that is a close to optimally secure PRF up to approximately adversarial queries.

The proof of Theorem 1 utilizes the hybrid technique. The security of the function can be reduced to the security of the EDM construction [46] which utilizes Patarin’s mirror theory.

Proof. Let and ; then the PRF-advantage of against the function is shown as follows: Let be a reduced EDM construction obtained by fixing bits. Let be an adversary which has access to the reduced EDM function or the random function and makes queries for the th . According to the security of the EDM construction, if and , we have We construct a hybrid function as follows. The first functions are and the rest of the functions are , that is, . If , then . If , then . Then the PRF-advantage of against is upper-bounded by where the inequality is obtained by . The proof is finished.

3.2. Multi-EDM-Dual (Multi-EDMD) Function

In this section, we set up another new function which is constructed from the EDMD construction [46].

Assuming that and are two independent and random permutations on -bit, we define a function as , where for , ,  , and .

We have the following theorem for information-theoretic security of the function .

Theorem 2. Let be an adversary with access to the function . Assuming that makes at most oracle queries, generating at most blocks, then the PRF-advantage of against is upper-bounded by

The proof of Theorem 2 is similar to that of Theorem 1. Therefore, here we omit it.

The result of Theorem 2 shows that constructed by and is a provably secure PRF up to approximately adversarial queries; that is, achieves close to optimal security. This is consistent with the views of Mennink and Neves [48].

4. OGCM-1: Close to Optimally Secure Variant of GCM

In this section, we utilize the close to optimally secure PRF to build an improved variant of GCM, called OGCM-1. OGCM-1 achieves close to optimal security in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP. OGCM-1 is a two-pass nonce-based AEAD scheme employing the “Encryption-then-MAC” approach, where the encryption part utilizes the close to optimally secure PRF to set up a stream-cipher encryption mode and the MAC part combines an AXU hash function and the EDM construction to generate an authentication tag.

Let be integers. Fix a block cipher and an -AXU hash function ; the encryption algorithm of OGCM-1 is described as , where is the key space, is the nonce space, is the associated data space, is the plaintext space, is the ciphertext space, and is the tag space. It takes the key , the nonce , the associated data , and the plaintext as input and returns the ciphertext and the tag , where and . The decryption algorithm of OGCM-1 is the inverse of the encryption algorithm . It takes , and as input and returns either or a special symbol . Here always returns a failure of the decryption oracle.

The overview of OGCM-1 is depicted in Figure 1. The encryption and decryption algorithms of OGCM-1 are given in Algorithms 1, 2, and 3. We recommend restricting AES-OGCM-1 to 96-bit nonces; that is, and .

Algorithm 1: The encryption algorithm of OGCM-1.
Algorithm 2: The decryption algorithm of OGCM-1.
Algorithm 3: The hash algorithm .
Figure 1: OGCM-1: a close to optimally secure variant of GCM.

5. Security of OGCM-1

5.1. Security Models of AEAD Schemes

Privacy (confidentiality) and authenticity (integrity) are two important security metrics of AEAD modes. Let be an integer, be the key randomly drawn from , and be a nonce-based AEAD scheme.

Privacy. Let be a random oracle that takes as input and returns a random string of length . Let be an adversary which has access to an oracle (either the encryption oracle or the random oracle ) and returns . We say that is a nonce-respecting adversary if all nonces are always distinct for all encryption queries . Without loss of generality, we assume that is a nonce-respecting adversary and never makes trivial queries for which their responses are obviously known. Then the PRIV-advantage of against is defined as

Authenticity. Let be an adversary which has access to the encryption oracle and the decryption oracle . Firstly, the adversary queries to and returns , where . Then forges a challenge query to . The forgery attempt succeeds if . Without loss of generality, we assume that is a nonce-respecting adversary and never makes trivial queries for which their responses are obviously known. Then the AUTH-advantage of against is defined as

5.2. Main Results and Security Proofs

Assuming that the underlying block cipher is a secure PRP, OGCM-1 achieves close to optimal security in the information-theoretic setting. Detailedly speaking, the privacy and authenticity of OGCM-1 are provably secure up to adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure PRP. First, we present the privacy of OGCM-1 as follows.

Theorem 3 (privacy of OGCM-1). Let be a block cipher and be an -AXU hash function, where and are two nonempty sets of keys. Let be a nonce-respecting adversary which makes at most queries with the maximum block length and the running time to OGCM-1. Then there exists another adversary against the PRP-security of , making at most oracle queries and running in time at most , such that, for any adversary ,

The proof of Theorem 3 includes two steps. Firstly, we replace and with two random and independent permutations on -bit and , where and are randomly and independently drawn from . Let and let OGCM-1[] be the new construction. By the hybrid argument, it is easy to show that there exists another adversary against the PRP-security of , making at most oracle queries and running in time at most , such thatThen, our goal is to upper-bound . Therefore, we introduce Lemma 4 as follows.

Lemma 4. Let be two permutations randomly and independently chosen from . Let be a nonce-respecting adversary which makes at most queries to OGCM-1, generating at most blocks. Then, for any adversary ,

Proof. Our proof utilizes a contradiction argument. The main idea is as follows. If there exists a nonce-respecting adversary against OGCM-1 such that , then we can construct a nonce-respecting adversary against such that , which derives a contradiction with Theorem 1. The details of our proof are described as follows.
Let be the encryption algorithm of OGCM-1 and be a random function that takes as input and always returns a random string of length . Suppose, to the contrary, that there exists a nonce-respecting adversary against OGCM-1 such that where makes queries with the block length to OGCM-1, generating blocks.
Let be a random function, where . Consider an adversary that makes queries to an oracle , either or , generating blocks, where uses as a subroutine (see Algorithm 4).
If is , then provides a perfect simulation of for . Therefore, . Similarity, if is , then provides a perfect simulation of the random function for . Therefore, . It follows that which contradicts Theorem 1. Therefore, our (contradiction) hypothesis does not hold; that is, the original proposition holds where The proof of Lemma 4 is finished.

Algorithm 4: Codes of PRF-adversary against using the PRIV-adversary .

Therefore, combining (12) and (13), the result of Theorem 3 is derived. The privacy of OGCM-1 is secure up to adversarial queries in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP. Next, we provide the authenticity of OGCM-1.

Theorem 5 (authenticity of OGCM-1). Let be a block cipher and be an -AXU hash function, where and are two nonempty sets of keys. Let be a nonce-respecting adversary which makes at most encryption queries and one forgery attempt to OGCM-1. The maximum block length is and the running time is at most . Then there exists another adversary against the PRP-security of , making at most oracle queries and running in time at most , such that, for any adversary ,

The proof of Theorem 5 includes two steps. Firstly, we replace and with two random and independent permutations and . Let and let OGCM-1 be the new construction. It is easy to show that there exists another adversary against the PRP-security of , making at most oracle queries and running in time at most , such thatNext, our goal is to upper-bound . Therefore, we introduce Lemma 6 as follows.

Lemma 6. Let be an integer. Let be two permutations randomly and independently chosen from . Let be an -AXU hash function. Let be a nonce-respecting adversary which makes at most encryption queries and one forgery attempt to OGCM-1, generating at most blocks. Then, for any adversary ,

Proof. We assume that the nonce-respecting adversary makes one forgery attempt after encryption queries, generating at most blocks. Detailedly speaking, firstly makes queries to the encryption oracle and returns . Then makes one forgery attempt to the decryption oracle. Note that .
According to the definition of the AUTH-advantage, we have where are the encryption and decryption algorithms of OGCM-1, is a random oracle which always returns a random string , and is a random oracle which always returns a random string or a reject symbol; that is, .
For (21), we havewhich is shown in the privacy proof and .
For (22), we consider the forgery attempt . As is a nonce-respecting adversary, there is at most one response of the encryption oracle such that , where . Assuming that there exists a dummy key , we discuss the following two cases in the single forgery attempt.
Case 1. There exist one such that for some . According to the properties of the AXU hash function , we have Case 2. There is no such that for any ; that is, is new. Let be the nonce length. We consider the following subcases in this case.
Case 2-1. There exist for multiple . In the encryption queries, there are at most collisions for queries; that is, the number of the same pair is at most . Then we have where and .
Case 2-2. There is no for any . In this subcase, we further discuss the following two subcases.
Case 2-2-1. There exist and for some . Then . Therefore, we have where ,  ,  , and .
Case 2-2-2. There is no for any . According to the properties of the AXU hash function , we have where and .
Summarizing above all mutually exclusive cases, the success probability of the single forgery attempt is upper-bounded byCombining (21), (22), (23), and (28), the AUTH-advantage of against OGCM-1 is upper-bounded by The proof of Lemma 6 is finished.

Therefore, combining (18) and (19), the result of Theorem 5 is derived. If and , the authenticity of OGCM-1 is secure up to adversarial queries in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP.

6. OGCM-2: A Dual Variant of OGCM-1

In this section, we utilize the close to optimally secure PRF to build another improved variant of GCM, called OGCM-2. OGCM-2 achieves close to optimal security in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP. OGCM-2 is a two-pass nonce-based AEAD scheme employing the “Encryption-then-MAC” approach, where the encryption part utilizes a multi-EDMD function to set up a stream-cipher encryption mode and the MAC part combines an AXU hash function and the EDMD construction to generate an authentication tag.

The overview of OGCM-2 is depicted in Figure 2. The encryption and decryption algorithms of OGCM-2 are given in Algorithms 5 and 6.

Algorithm 5: The encryption algorithm of OGCM-2.
Algorithm 6: The decryption algorithm of OGCM-2.
Figure 2: OGCM-2: a dual variant of OGCM-1.

The security of OGCM-2 is derived in the following theorem.

Theorem 7 (security of OGCM-2). Let . Let be a nonce-respecting adversary which makes at most encryption queries and one forgery attempt and runs in time at most to OGCM-2. Then there exists another adversary against the PRP-security of , making at most oracle queries and running in time at most , such that, for any adversary ,

The proof of Theorem 7 is similar to the proofs of Theorems 3 and 5. Therefore we omit it.

According to Theorem 7, assuming that the underlying block cipher is a secure PRP and and , the privacy and authenticity of OGCM-2 are provably secure up to adversarial queries in the nonce-respecting scenario.

7. Discussions and Future Works

Compared with GCM, both OGCM-1 and OGCM-2 achieve a balance between the security and the efficiency.

From the perspective of security, they enjoy close to optimal security in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP. They can encrypt at most plaintexts in the nonce-respecting scenario and the maximum block length of the plaintext is , where is the nonce length and is the block size. The privacy of OGCM-1 (resp., OGCM-2) is upper-bounded by and the authenticity of OGCM-1 (resp., OGCM-2) is upper-bounded by , for (resp., ) adversarial queries and one forgery attempt, where is the number of the encryption queries, is the query complexity, and is the bit length of the authentication tag. In other words, the privacy and authenticity of OGCM-1 ensure at most about -bit security, while the privacy and authenticity of OGCM-2 ensure at most about -bit security, where denotes the log (base 2) of . Let ,  ,  , and . AES-OGCM-1 and AES-OGCM-2 can encrypt at most plaintexts in the nonce-respecting scenario, the maximum length of the plaintext is about blocks (64 GBytes), and the privacy and authenticity achieve roughly 107.9565-bit or 121.9339-bit security which is better than those of AES-GCM (about 64-bit security). Alike GCM, OGCM-1 and OGCM-2 are based on polynomial AXU hash functions which may introduce some attacks, such as [36, 37, 42, 43].

From the perspective of efficiency, they invoke two block ciphers for encrypting each plaintext block (that is to say, their rate is 1/2) and inherit most of the advantages of GCM (such as parallelizable, stream-cipher encryption, and high speed implementation). Specifically, they utilize three keys, call the underlying block cipher times, and use finite-field multiplications, while GCM is based on one key, calls the underlying block cipher times, and utilizes finite-field multiplications, where (resp., ) is the block length of the plaintext (resp., associated data). Compared with GCM, the efficiency is about half of it. Therefore, OGCM-1 and OGCM-2 compromise the efficiency of the software and hardware implementation to enhance the security.

Compared with some existing BBB-secure AE schemes, OGCM-1 and OGCM-2 are block cipher-based nonce-respecting AE modes that ensure close to optimal security and provide good efficiency. Details are shown in Table 2. Note that RWCTRN [47] is based on the PRF assumption. Therefore, its block size is at least 256.

Table 2: Comparison of AE schemes that provide BBB security. “” means can be reduced to . “n.r.” denotes nonce-respecting and “n.m.” denotes nonce-misuse. “PRP” stands for pseudorandom permutation, “TPRP” stands for tweakable PRP, and “PRF” stands for pseudorandom function. Let be the block length of the plaintext and be the block length of associated data. Let be two integers. Let stand for approximately equal to. For example, 128 means that it is approximately equal to 128.

OGCM-1 and OGCM-2 utilize three keys, which increase the cost of key management. Therefore, we introduce a key deriving method which converts a key to multiple keys. Here, the hash-function key and the block cipher keys can be derived from a secret key by encrypting three distinct constants. Thus, we can obtain reduced single-key OGCM-1 and OGCM-2 schemes.

This paper focuses on the strong security of GCM in the nonce-respecting scenario. A natural direction for future work is how we can design an improved mode that provides strong security in the nonce-misuse and even other misuse scenarios (e.g., the releasing of unverified plaintext and decryption misuse scenarios).

8. Conclusions

This paper focuses on the strong security of GCM and presents two close to optimally secure variants OGCM-1 and OGCM-2. They are based on the “Encryption-then-MAC” approach, where the encryption part utilizes multiple EDM or EDMD constructions to set up a close to optimally secure key-stream generator and then the MAC part combines an AXU hash function and one EDM or EDMD construction to generate an authentication tag. OGCM-1 and OGCM-2 achieve a balance between the security and the efficiency. In terms of security, OGCM-1 guarantees at most roughly -bit security and OGCM-2 guarantees at most roughly -bit security, where is the block size. In terms of efficiency, their rate is 1/2; that is, they invoke two block ciphers for encrypting each plaintext block. Compared with GCM [33] and CHM [30], OGCM-1 and OGCM-2 guarantee stronger security but achieve lower efficiency. Compared with GCM-SIVr [32], OGCM-1 and OGCM-2 guarantee close to optimal security and achieve higher efficiency.

GCM is a NIST recommended block cipher mode of operation and has wide applications, but it only ensures the birthday-bound security. OGCM-1 and OGCM-2 that provide close to optimal security are the extensions of GCM, which is of great significance in practice.

Conflicts of Interest

There are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This work was supported by National Natural Science Foundation of China (Grant nos. 61522210 and 61632013).

References

  1. P. Rogaway, “Authenticated-encryption with associated-data,” in Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS '02), pp. 98–107, Washington, Wash, USA, November 2002. View at Publisher · View at Google Scholar · View at Scopus
  2. Y. Sasaki and K. Yasuda, “A new mode of operation for incremental authenticated encryption with associated data,” in Selected areas in cryptography—SAC 2015, vol. 9566 of Lecture Notes in Computer Science, pp. 397–416, Springer, Heidelberg, Germany, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  3. C. S. Jutla, “Encryption modes with almost free message integrity,” in Advances in cryptology—EUROCRYPT 2001 (Innsbruck), vol. 2045 of Lecture Notes in Computer Science, pp. 529–544, Springer, Heidelberg, Germany, 2001. View at Publisher · View at Google Scholar · View at MathSciNet
  4. P. Rogaway, “Efficient instantiations of tweakable blockciphers and refinements to modes OCB and PMAC,” in Advances in cryptology—ASIACRYPT 2004, vol. 3329 of Lecture Notes in Computer Science, pp. 16–31, Springer, Heidelberg, Germany, 2004. View at Publisher · View at Google Scholar · View at MathSciNet
  5. P. Rogaway, M. Bellare, and R. S. Ferguson, “OCB: a block-cipher mode of operation for efficient authenticated encryption,” ACM Transactions on Information and System Security, vol. 6, no. 3, pp. 365–403, 2003. View at Publisher · View at Google Scholar
  6. E. Andreeva, A. Bogdanov, A. Luykx, B. Mennink, E. Tischhauser, and K. Yasuda, “Parallelizable and authenticated online ciphers,” in Advances in cryptology—ASIACRYPT 2013, vol. 8269 of Lecture Notes in Computer Science, pp. 424–443, Springer, Heidelberg, Germany, 2013. View at Publisher · View at Google Scholar · View at MathSciNet
  7. F. Abed, S. Fluhrer, C. Forler et al., “Pipelineable on-line encryption,” in Fast Software Encryption, vol. 8540 of Lecture Notes in Computer Science, pp. 205–223, Springer, Heidelberg, Germany, 2015. View at Publisher · View at Google Scholar · View at Scopus
  8. L. Bossuet, N. Datta, C. Mancillas-Lopez, and M. Nandi, “ELmD: a pipelineable authenticated encryption and its hardware implementation,” IEEE Transactions on Computers, vol. 65, no. 11, pp. 3318–3331, 2016. View at Publisher · View at Google Scholar · View at Scopus
  9. E. Fleischmann, C. Forler, and S. Lucks, “McOE: a family of almost foolproof on-line authenticated encryption schemes,” in Fast Software Encryption, vol. 7549 of Lecture Notes in Computer Science, pp. 196–215, Springer, Heidelberg, Germany, 2012. View at Publisher · View at Google Scholar · View at Scopus
  10. C. Forler, E. List, S. Lucks, and J. Wenzel, “Efficient beyond-birthday-bound-secure deterministic authenticated encryption with minimal stretch,” in ACISP 2016: Information Security and Privacy, vol. 9723 of Lecture Notes in Computer Science, pp. 317–332, Springer, Heidelberg, Germany, 2016. View at Publisher · View at Google Scholar · View at Scopus
  11. E. List and M. Nandi, “Revisiting full-PRF-secure PMAC and using it for beyond-birthday authenticated encryption,” in Topics in cryptology—CT-RSA 2017, vol. 10159 of Lecture Notes in Computer Science, pp. 258–274, Springer, Heidelberg, Germany, 2017. View at Publisher · View at Google Scholar · View at MathSciNet
  12. T. Peyrin and Y. Seurin, “Counter-in-tweak: authenticated encryption modes for tweakable block ciphers,” in Advances in Cryptology–CRYPTO 2016, vol. 9814 of Lecture Notes in Computer Science, pp. 33–63, Springer, Heidelberg, Germany, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  13. M. Liskov, R. L. Rivest, and D. Wagner, “Tweakable block ciphers,” in Advances in Cryptology–CRYPTO 2002, vol. 2442 of Lecture Notes in Computer Science, pp. 31–46, Springer, Heidelberg, Germany, 2002. View at Publisher · View at Google Scholar · View at MathSciNet
  14. M. Liskov, R. L. Rivest, and D. Wagner, “Tweakable block ciphers,” Journal of Cryptology, vol. 24, no. 3, pp. 588–613, 2011. View at Publisher · View at Google Scholar · View at Scopus
  15. T. Iwata and K. Yasuda, “HBS: a single-key mode of operation for deterministic authenticated encryption,” in Fast Software Encryption, vol. 5665 of Lecture Notes in Computer Science, pp. 394–415, Springer, Heidelberg, Germany, 2009. View at Publisher · View at Google Scholar · View at Scopus
  16. P. Rogaway and T. Shrimpton, “A provable-security treatment of the key-wrap problem,” in Advances in cryptology—EUROCRYPT 2006, vol. 4004 of Lecture Notes in Computer Science, pp. 373–390, Springer, Heidelberg, Germany, 2006. View at Publisher · View at Google Scholar · View at MathSciNet
  17. V. T. Hoang, T. Krovetz, and P. Rogaway, “Robust authenticated-encryption AEZ and the problem that it solves,” in Advances in Cryptology–EUROCRYPT 2015, vol. 9056 of Lecture Notes in Computer Science, pp. 15–44, Springer, Heidelberg, Germany, 2015. View at Publisher · View at Google Scholar · View at Scopus
  18. N. Ferguson, D. Whiting, B. Schneier, J. Kelsey, S. Lucks, and T. Kohno, “Helix: fast encryption and authentication in a single cryptographic primitive,” in Fast Software Encryption, vol. 2887 of Lecture Notes in Computer Science, pp. 330–346, Springer, Heidelberg, Germany, 2003. View at Publisher · View at Google Scholar
  19. H. Wu and B. Preneel, “AEGIS: a fast authenticated encryption algorithm,” in Selected Areas in Cryptography—SAC 2013, vol. 8282 of Lecture Notes in Computer Science, pp. 185–201, Springer, Heidelberg, Germany, 2014. View at Publisher · View at Google Scholar
  20. M. Bellare and C. Namprempre, “Authenticated encryption: relations among notions and analysis of the generic composition paradigm,” in Advances in Cryptology–ASIACRYPT 2000, vol. 1976 of Lecture Notes in Computer Science, pp. 531–545, Springer, Heidelberg, Germany, 2000. View at Publisher · View at Google Scholar · View at MathSciNet
  21. M. Bellare, P. Rogaway, and D. Wagner, “The EAX mode of operation,” in FSE 2004: Fast Software Encryption, B. Roy and W. Meier, Eds., vol. 3017 of Lecture Notes in Computer Science, pp. 389–407, Springer, Heidelberg, Germany, 2004. View at Publisher · View at Google Scholar
  22. T. Krovetz, “HS1-SIV,” 2015, https://competitions.cr.yp.to/round2/hs1sivv2c.pdf.
  23. P. Jovanovic, A. Luykx, and B. Mennink, “Beyond security in sponge-based authenticated encryption modes,” in Advances in Cryptology–ASIACRYPT 2014, vol. 8873 of Lecture Notes in Computer Science, pp. 85–104, Springer, Heidelberg, Germany, 2014. View at Google Scholar · View at MathSciNet
  24. C. Dobraunig, M. Eichlseder, F. Mendel, and M. Schlaffer, “Ascon v1.2,” 2016, https://competitions.cr.yp.to/round3/asconv12.pdf.
  25. G. Bertoni, J. Daemen, M. Peeters, and G. Van Assche, “Duplexing the sponge: single-pass authenticated encryption and other applications,” in SAC 2011: Selected Areas in Cryptography, vol. 7118 of Lecture Notes in Computer Science, pp. 320–337, Springer, Heidelberg, Germany, 2012. View at Publisher · View at Google Scholar · View at Scopus
  26. R. Granger, P. Jovanovic, B. Mennink, and S. Neves, “Improved masking for tweakable blockciphers with applications to authenticated encryption,” in Advances in Cryptology–EUROCRYPT 2016, vol. 9665 of Lecture Notes in Computer Science, pp. 263–293, Springer, Heidelberg, Germany, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  27. S. Cogliani, D. S. Maimuţ, D. Naccache et al., “OMD: a compression function mode of operation for authenticated encryption,” in Selected areas in cryptography—SAC 2014, vol. 8781 of Lecture Notes in Computer Science, pp. 112–128, Springer, Heidelberg, Germany, 2014. View at Publisher · View at Google Scholar · View at MathSciNet
  28. R. Reyhanitabar, S. Vaudenay, and D. Vizár, “Boosting OMD for almost free authentication of associated data,” in FSE 2015: Fast Software Encryption, vol. 9054 of Lecture Notes in Computer Science, pp. 411–427, Springer, Heidelberg, Germany, 2015. View at Publisher · View at Google Scholar · View at Scopus
  29. K. Minematsu, “Parallelizable rate-1 authenticated encryption from pseudorandom functions,” in Advances in Cryptology–EUROCRYPT 2014, vol. 8441 of Lecture Notes in Computer Science, pp. 275–292, Springer, Heidelberg, Germany, 2014. View at Publisher · View at Google Scholar · View at MathSciNet
  30. T. Iwata, “New blockcipher modes of operation with beyond the birthday bound security,” in Fast Software Encryption, vol. 4047 of Lecture Notes in Computer Science, pp. 310–327, Springer, Heidelberg, Germany, 2006. View at Publisher · View at Google Scholar
  31. T. Iwata, “Authenticated encryption mode for beyond the birthday bound security,” in Advances in Cryptology–AFRICACRYPT 2008, vol. 5023 of Lecture Notes in Computer Science, pp. 125–142, Springer, Heidelberg, Germany, 2008. View at Publisher · View at Google Scholar · View at MathSciNet
  32. T. Iwata and K. Minematsu, “Stronger security variants of GCM-SIV,” IACR Transactions on Symmetric Cryptology, vol. 2016, no. 1, pp. 134–157, 2016. View at Google Scholar
  33. D. A. McGrew and J. Viega, “The security and performance of the Galois/counter mode (GCM) of operation,” in Progress in cryptology—INDOCRYPT 2004, vol. 3348 of Lecture Notes in Computer Science, pp. 343–355, Springer, Heidelberg, Germany, 2004. View at Publisher · View at Google Scholar · View at MathSciNet
  34. T. Iwata, K. Ohashi, and K. Minematsu, “Breaking and repairing GCM security proofs,” in Advances in cryptology—CRYPTO 2012, vol. 7417 of Lecture Notes in Computer Science, pp. 31–49, Springer, Heidelberg, Germany, 2012. View at Publisher · View at Google Scholar · View at MathSciNet
  35. Y. Niwa, K. Ohashi, K. Minematsu, and T. Iwata, “GCM security bounds reconsidered,” in Fast Software Encryption, vol. 9054 of Lecture Notes in Computer Science, pp. 385–407, Springer, Heidelberg, Germany, 2015. View at Publisher · View at Google Scholar
  36. M. J. O. Saarinen, “Cycling attacks on GCM, GHASH and other polynomial MACs and hashes,” in Fast Software Encryption, A. Canteaut, Ed., Lecture Notes in Computer Science, pp. 216–225, Springer, Heidelberg, Germany, 2012. View at Publisher · View at Google Scholar
  37. M. A. Abdelraheem, P. Beelen, A. Bogdanov, and E. Tischhauser, “Twisted polynomials and forgery attacks on GCM,” in Advances in Cryptology–EUROCRYPT 2015, vol. 9056 of Lecture Notes in Computer Science, pp. 762–786, Springer, Heidelberg, Germany, 2015. View at Publisher · View at Google Scholar · View at Scopus
  38. M. Bellare and B. Tackmann, “The multi-user security of authenticated encryption: AES-GCM in TLS 1.3,” in Advances in cryptology—CRYPTO 2016, vol. 9814 of Lecture Notes in Computer Science, pp. 247–276, Springer, Heidelberg, Germany, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  39. H. Böck, A. Zauner, S. Devlin, J. Somorovsky, and P. Jovanovic, “Nonce-disrespecting adversaries: practical forgery attacks on GCM in TLS,” 2016, https://eprint.iacr.org/2016/475.pdf.
  40. S. Gueron and Y. Lindell, “GCM-SIV: full nonce misuse-resistant authenticated encryption at under one cycle per byte,” in Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 109–119, Denver, Colo, USA, October 2015. View at Publisher · View at Google Scholar · View at Scopus
  41. K. Aoki and K. Yasuda, “The security and performance of ‘GCM’ when short multiplications are used instead,” in Information Security and Cryptology, vol. 7763 of Lecture Notes in Computer Science, pp. 225–245, Springer Berlin Heidelberg, Heidelberg, Germany, 2013. View at Publisher · View at Google Scholar
  42. W.-S. Yap, S. L. Yeo, S.-H. Heng, and M. Henricksen, “Security analysis of GCM for communication,” Security and Communication Networks, vol. 7, no. 5, pp. 854–864, 2014. View at Publisher · View at Google Scholar · View at Scopus
  43. B. Zhu, Y. Tan, and G. Gong, “Revisiting MAC forgeries, weak keys and provable security of Galois/counter mode of operation,” in Cryptology and network security, vol. 8257 of Lecture Notes in Computer Science, pp. 20–38, Springer, Heidelberg, Germany, 2013. View at Publisher · View at Google Scholar · View at MathSciNet
  44. T. Iwata and Y. Seurin, “Reconsidering the security bound of AES-GCM-SIV,” 2017, https://eprint.iacr.org/2017/708.pdf.
  45. B. t. Cogliati and Y. Seurin, “EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC,” in Advances in cryptology—CRYPTO 2016, vol. 9814 of Lecture Notes in Computer Science, pp. 121–149, Springer, Heidelberg, Germany, 2016. View at Publisher · View at Google Scholar · View at MathSciNet
  46. B. Mennink and S. Neves, “Encrypted davies-meyer and its dual: towards optimal security using mirror theory,” in Advances in cryptology—CRYPTO 2017, vol. 10403 of Lecture Notes in Computer Science, pp. 556–583, Springer, Heidelberg, Germany, 2017. View at Publisher · View at Google Scholar · View at MathSciNet
  47. P. Zhang, H. G. Hu, and P. Wang, “Efficient beyond-birthday-bound secure authenticated encryption modes,” Science China Information Sciences, 2017. View at Google Scholar
  48. B. Mennink and S. Neves, “Optimal PRFs from Blockcipher Designs,” IACR Transactions on Symmetric Cryptology, vol. 2017, no. 3, pp. 228–252, 2017. View at Google Scholar