Security and Communication Networks

Security and Communication Networks / 2018 / Article

Research Article | Open Access

Volume 2018 |Article ID 9715947 | 12 pages | https://doi.org/10.1155/2018/9715947

Close to Optimally Secure Variants of GCM

Academic Editor: Kamal D. Singh
Received21 Aug 2017
Revised05 Dec 2017
Accepted16 Jan 2018
Published06 Mar 2018

Abstract

The Galois/Counter Mode of operation (GCM) is a widely used nonce-based authenticated encryption with associated data mode which provides the birthday-bound security in the nonce-respecting scenario; that is, it is secure up to about adversarial queries if all nonces used in the encryption oracle are never repeated, where is the block size. It is an open problem to analyze whether GCM security can be improved by using some simple operations. This paper presents a positive response for this problem. Firstly, we introduce two close to optimally secure pseudorandom functions and derive their security bound by the hybrid technique. Then, we utilize these pseudorandom functions that we design and a universal hash function to construct two improved versions of GCM, called OGCM-1 and OGCM-2. OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately and adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation. Finally, we discuss the properties of OGCM-1 and OGCM-2 and describe the future works.

1. Introduction

Authenticated Encryption. An authenticated encryption (AE) mode is a cryptographic scheme which guarantees privacy and authenticity of the message concurrently. So far, a large number of AE schemes have emerged. Particularly, the CAESAR competition that started in 2012 promotes enormously the development of AE schemes. AE has been widely applied to many environments. According to the application requirements classification, this includes AE with associated data (AEAD) [1, 2], parallelizable AE [35], online AE [69], tweakable AE [914], deterministic AE [10, 15, 16], wide block AE [17], XOR-based AE [18], and dedicated AE algorithms [19]. According to the design approaches classification, this includes generic composed AE [20], block cipher-based AE [36, 21], stream-cipher-based AE [18, 22], permutation-based AE [2326], keyed-function-based AE [27, 28], tweakable block cipher-based AE [914], and hybrid AE [17, 19, 29].

Birthday-Bound Security and Beyond-Birthday-Bound Security. Most AE modes, such as [6, 7, 9, 20, 21, 26], just offer birthday-bound security; that is, they are secure up to roughly adversarial queries, where is the block size. The currently utilized block cipher is AES (the block size ). If AES is used in the block cipher modes of operation, 128-bit security degrades into at most about 64-bit security, which is unacceptable in some special environments. Therefore, it is vitally important to design AE modes that ensure beyond-birthday-bound (BBB) security. The so-called BBB security means that an AE mode is provably secure up to approximately adversarial queries, where is an integer. If an AE mode is provably secure up to roughly adversarial queries, we say that it provides optimal security. In order to achieve a stronger security (BBB security or optimal security), AE modes usually compromise the efficiency of the hardware and software implementation. For example, we often utilize multiple block ciphers or their sum to construct a BBB-secure pseudorandom function. The higher the number of invoking the underlying block cipher, the greater the cost. Therefore, the efficiency of BBB-secure AE modes is generally low. In recent years, AE modes that ensure BBB security appeared endless, such as [1012, 2224, 3032].

Problem Statement. The Galois/Counter Mode of operation (GCM) [33] designed by McGrew and Viega is a nonce-based AEAD scheme. GCM combines the counter mode used in the encryption part and the polynomial hash function used in the authentication part and is included in the block cipher AE modes of operation recommended by NIST. Its security depends on the nonce-respecting setting that all nonces used in the encryption queries are distinct. Iwata et al. [34] pointed out that the previous claimed security was flawed and presented a new provable security, which was later improved by Niwa et al. [35]. GCM retains birthday-bound security and has better security bounds for 96-bit nonces. For the attacks of GCM, Saarinen showed weak keys of GHASH and the cycling attacks on GCM in [36]. Other researches related to GCM include [3744]. GCM has been widely applied in the IEEE 802.1AE Ethernet security, IEEE 802.11ad, IETF IPsec standards, SSH, TLS, and so on. GCM is proven to be secure up to roughly adversarial queries in the nonce-respecting scenario, assuming that the underlying block cipher is a secure pseudorandom permutation. In other words, for AES-GCM, its security guarantee is lost after at most only adversarial queries, which is not sufficiently secure in some special settings. Therefore, in this paper, we consider the question of whether we can design a scheme that provides better security (such as BBB security or optimal security) to improve the security guarantee of GCM.

Our Contributions. This paper gives a positive response for the above question. We first introduce a basic tool: close to optimally secure pseudorandom functions (PRFs) which are, respectively, designed by the Encrypted Davies-Meyer (EDM) [45] and EDM Dual (EDMD) [46] constructions. Then we construct two improved versions of GCM, called OGCM-1 and OGCM-2, which are parallelizable nonce-based close to optimally secure AEAD modes. OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately and adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation (PRP). In fact, they are based on the “Encryption-then-MAC” approach, where the encryption part utilizes a multi-EDM or multi-EDMD function to set up a close to optimally secure key-stream generator and then the MAC part combines an EDM or EDMD construction and an almost-XOR-universal (AXU) hash function to generate an authentication tag.

OGCM-1 and OGCM-2 balance the security and the efficiency of the software and hardware implementation. Take AES-OGCM-1 or AES-OGCM-2 as an example; that is, the underlying block cipher is instantiated with AES. First, from the point of view of security, they achieve at most about 107.9565-bit or 121.9339-bit security which is better than that of AES-GCM (at most about 64-bit security). In the nonce-respecting scenario, they can encrypt at most plaintexts (as the nonce length is 96 bits) and the maximum block length of each plaintext is about blocks (64 GBytes). Second, from the point of view of efficiency, they invoke block ciphers and finite-field multiplications, where is the number of the plaintext blocks and is the number of the associated data blocks. Compared with AES-GCM, the efficiency is about half of it. Therefore, AES-OGCM-1 and AES-OGCM-2 sacrifice the efficiency of the software and hardware implementation to achieve a strong security. The comparisons among AES-GCM, AES-OGCM-1, and AES-OGCM-2 are shown in Table 1.


AES-GCM [34]AES-OGCM-1AES-OGCM-2

# keys1
CTR-likeYesYesYes
Block size 128128128
Nonce scenarion.r.n.r.n.r.
AssumptionPRPPRPPRP
Security (bits)64107.9565121.9339
# block cipher calls
# multiplications

Organizations of This Paper. Some preliminaries are presented in Section 2. A basic tool is provided in Section 3. OGCM-1 is described in Section 4. Security results of OGCM-1 are derived in Section 5. OGCM-2 and its security are shown in Section 6. Section 7 describes some discussions and future works. Finally, we end up with a conclusion in Section 8.

2. Preliminaries

Notations. Let be the set containing all finite strings (including an empty string ). For a finite string ,   stands for its length in bits and means the length of -bit blocks for any integer , where denotes the operation that rounds up from a floating-point number to an integer. The -bit zero string is written as . For two finite strings and , let or be the concatenation of them. If and are two equal-length strings, let denote the XOR of them. For a finite string with , let be the most significant -bit of . Given two positive integers and such that , let be the -bit binary representation of . Let be the function for increment which takes an -bit input and returns an incremented value mod . For , denotes that is incremented times. For a finite set , let denote the value randomly drawn from and let denote the number of elements in . Let be a set of all integers from to ; that is, . Let be an event that an adversary outputs 1 after interacting with the oracle .

Block Ciphers and Keyed Functions. A block cipher is a mapping , which takes a key and a plaintext as input and returns a ciphertext . For any fixed , is an -bit permutation and its inverse is written as . Let be a set of all -bit permutations. Suppose that is an adversary which has access to an encryption oracle. Let and ; then the PRP-advantage of against is defined as where the probabilities are taken over the random choices of and and also over internal coins of , if any. If is negligible, the underlying block cipher is a secure pseudorandom permutation (PRP).

A keyed function is a mapping , which takes a key and a plaintext as input and returns a ciphertext . For any fixed , is a function from to . Let be a set of all functions from to . If , we write . Suppose that is an adversary which has access to an encryption oracle. Let and ; then the PRF-advantage of against is defined as where the probabilities are taken over the random choices of and and also over internal coins of , if any. If is negligible, the underlying keyed function is a secure pseudorandom function (PRF).

If the resources owned by all adversaries are at most , the maximum advantage is defined as , where includes the running time , the total number of oracle queries , the maximum block length , and the total number of blocks in all queries (query complexity) .

Universal Hash Functions. Let ; a keyed hash function is a mapping which takes a key and a message as input and returns an output . We say is an -almost-XOR-universal (-AXU) hash function, if, for any and ,   and, for any two distinct and ,  . If , is called an uniform AXU (-AXU for short) hash function.

Finite Field. Given a basis, the finite field can be seen as the set . For an -bit string , we can define a polynomial by , where for any . Hence, any integer between 0 and can also be viewed as a polynomial with binary coefficients of degree at most . For example, 2 corresponds to , 3 corresponds to , and 7 corresponds to . The addition in the field is the addition of polynomials over . We denote this operation by bitwise XOR, that is, , where . In order to define the multiplication operation over , we need to introduce an irreducible polynomial of degree over . For ,  . The multiplication of two elements and is defined as the corresponding polynomial multiplication over reduced modulo , that is mod .

Authenticated Encryption. A conventional nonce-based authenticated encryption with associated data (AEAD) scheme consists of an encryption algorithm and a decryption algorithm ; that is, where is a key, is a nonce, is associated data, , is a plaintext, , is a ciphertext, , is a tag, , and is an error symbol which indicates the failure of the decryption oracle. iff . A secure AEAD scheme returns if it receives an error pair. If there is no associated data, is seen as an empty string.

3. Basic Tool: Close to Optimally Secure PRFs

3.1. Multi-Encrypted-Davies-Meyer (Multi-EDM) Function

In this section, we set up a new function which is constructed from the EDM construction [45].

Assuming that and are two independent and random permutations on -bit, we define a function as , where for , and . Note that we must ensure .

We have the following theorem for information-theoretic security of the function .

Theorem 1. Let be an adversary with access to the function . Let be any threshold. Assuming that makes at most oracle queries, generating at most blocks, then the PRF-advantage of against is upper-bounded by

The result of Theorem 1 shows that constructed by and achieves BBB security. If and , then the PRF-advantage of against is upper-bounded by , which means that is a provably BBB-secure PRF up to approximately adversarial queries. If and , then the PRF-advantage of against is upper-bounded by , which means that is a close to optimally secure PRF up to approximately adversarial queries.

The proof of Theorem 1 utilizes the hybrid technique. The security of the function can be reduced to the security of the EDM construction [46] which utilizes Patarin’s mirror theory.

Proof. Let and ; then the PRF-advantage of against the function is shown as follows: Let be a reduced EDM construction obtained by fixing bits. Let be an adversary which has access to the reduced EDM function or the random function and makes queries for the th . According to the security of the EDM construction, if and , we have We construct a hybrid function as follows. The first functions are and the rest of the functions are , that is, . If , then . If , then . Then the PRF-advantage of against is upper-bounded by where the inequality is obtained by . The proof is finished.

3.2. Multi-EDM-Dual (Multi-EDMD) Function

In this section, we set up another new function which is constructed from the EDMD construction [46].

Assuming that and are two independent and random permutations on -bit, we define a function as , where for , ,  , and .

We have the following theorem for information-theoretic security of the function .

Theorem 2. Let be an adversary with access to the function . Assuming that makes at most oracle queries, generating at most blocks, then the PRF-advantage of against is upper-bounded by

The proof of Theorem 2 is similar to that of Theorem 1. Therefore, here we omit it.

The result of Theorem 2 shows that constructed by and is a provably secure PRF up to approximately adversarial queries; that is, achieves close to optimal security. This is consistent with the views of Mennink and Neves [48].

4. OGCM-1: Close to Optimally Secure Variant of GCM

In this section, we utilize the close to optimally secure PRF to build an improved variant of GCM, called OGCM-1. OGCM-1 achieves close to optimal security in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP. OGCM-1 is a two-pass nonce-based AEAD scheme employing the “Encryption-then-MAC” approach, where the encryption part utilizes the close to optimally secure PRF to set up a stream-cipher encryption mode and the MAC part combines an AXU hash function and the EDM construction to generate an authentication tag.

Let be integers. Fix a block cipher and an -AXU hash function ; the encryption algorithm of OGCM-1 is described as , where is the key space, is the nonce space, is the associated data space, is the plaintext space, is the ciphertext space, and is the tag space. It takes the key , the nonce , the associated data , and the plaintext as input and returns the ciphertext and the tag , where and . The decryption algorithm of OGCM-1 is the inverse of the encryption algorithm . It takes , and as input and returns either or a special symbol . Here always returns a failure of the decryption oracle.

The overview of OGCM-1 is depicted in Figure 1. The encryption and decryption algorithms of OGCM-1 are given in Algorithms 1, 2, and 3. We recommend restricting AES-OGCM-1 to 96-bit nonces; that is, and .

Input: three keys , a nonce , an associated data , and a plaintext
Output: a ciphertext and a tag
Partition into ,
for and
for to
for to
return
Input: three keys , a nonce , an associated data , a ciphertext , and a tag
Output: a plaintext or
If , then
Partition into ,
for and
for to
for to
return
else return .
Input: a hash key , an associated data , and a ciphertext
Output: a hash value
Partition into , for
for to
return

5. Security of OGCM-1

5.1. Security Models of AEAD Schemes

Privacy (confidentiality) and authenticity (integrity) are two important security metrics of AEAD modes. Let be an integer, be the key randomly drawn from , and be a nonce-based AEAD scheme.

Privacy. Let be a random oracle that takes as input and returns a random string of length . Let be an adversary which has access to an oracle (either the encryption oracle or the random oracle ) and returns . We say that is a nonce-respecting adversary if all nonces are always distinct for all encryption queries . Without loss of generality, we assume that is a nonce-respecting adversary and never makes trivial queries for which their responses are obviously known. Then the PRIV-advantage of against is defined as

Authenticity. Let be an adversary which has access to the encryption oracle and the decryption oracle . Firstly, the adversary queries to and returns , where . Then forges a challenge query to . The forgery attempt succeeds if . Without loss of generality, we assume that is a nonce-respecting adversary and never makes trivial queries for which their responses are obviously known. Then the AUTH-advantage of against is defined as

5.2. Main Results and Security Proofs

Assuming that the underlying block cipher is a secure PRP, OGCM-1 achieves close to optimal security in the information-theoretic setting. Detailedly speaking, the privacy and authenticity of OGCM-1 are provably secure up to adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure PRP. First, we present the privacy of OGCM-1 as follows.

Theorem 3 (privacy of OGCM-1). Let be a block cipher and be an -AXU hash function, where and are two nonempty sets of keys. Let be a nonce-respecting adversary which makes at most queries with the maximum block length and the running time to OGCM-1. Then there exists another adversary against the PRP-security of , making at most oracle queries and running in time at most , such that, for any adversary ,

The proof of Theorem 3 includes two steps. Firstly, we replace and with two random and independent permutations on -bit and , where and are randomly and independently drawn from . Let and let OGCM-1[] be the new construction. By the hybrid argument, it is easy to show that there exists another adversary against the PRP-security of , making at most oracle queries and running in time at most , such thatThen, our goal is to upper-bound . Therefore, we introduce Lemma 4 as follows.

Lemma 4. Let be two permutations randomly and independently chosen from . Let be a nonce-respecting adversary which makes at most queries to OGCM-1, generating at most blocks. Then, for any adversary ,

Proof. Our proof utilizes a contradiction argument. The main idea is as follows. If there exists a nonce-respecting adversary against OGCM-1 such that , then we can construct a nonce-respecting adversary against such that , which derives a contradiction with Theorem 1. The details of our proof are described as follows.
Let be the encryption algorithm of OGCM-1 and be a random function that takes as input and always returns a random string of length . Suppose, to the contrary, that there exists a nonce-respecting adversary against OGCM-1 such that where makes queries with the block length to OGCM-1, generating blocks.
Let be a random function, where . Consider an adversary that makes queries to an oracle , either or , generating blocks, where uses as a subroutine (see Algorithm 4).
If is , then provides a perfect simulation of for . Therefore, . Similarity, if is , then provides a perfect simulation of the random function for . Therefore, . It follows that which contradicts Theorem 1. Therefore, our (contradiction) hypothesis does not hold; that is, the original proposition holds where The proof of Lemma 4 is finished.

/ PRF-adversary against /
If    makes the th query  :
for to
return
If    returns  :
output

Therefore, combining (12) and (13), the result of Theorem 3 is derived. The privacy of OGCM-1 is secure up to adversarial queries in the nonce-respecting scenario assuming that the underlying block cipher is a secure PRP. Next, we provide the authenticity of OGCM-1.

Theorem 5 (authenticity of OGCM-1). Let be a block cipher and be an -AXU hash function, where and are two nonempty sets of keys. Let be a nonce-respecting adversary which makes at most encryption queries and one forgery attempt to OGCM-1. The maximum block length is and the running time is at most . Then there exists another adversary against the PRP-security of , making at most oracle queries and running in time at most , such that, for any adversary ,

The proof of Theorem 5 includes two steps. Firstly, we replace and with two random and independent permutations and . Let and let OGCM-1 be the new construction. It is easy to show that there exists another adversary against the PRP-security of , making at most oracle queries and running in time at most , such thatNext, our goal is to upper-bound . Therefore, we introduce Lemma 6 as follows.

Lemma 6. Let be an integer. Let be two permutations randomly and independently chosen from . Let be an -AXU hash function. Let be a nonce-respecting adversary which makes at most encryption queries and one forgery attempt to OGCM-1, generating at most blocks. Then, for any adversary ,

Proof. We assume that the nonce-respecting adversary makes one forgery attempt after encryption queries, generating at most blocks. Detailedly speaking, firstly makes queries to the encryption oracle and returns