Research Article  Open Access
Close to Optimally Secure Variants of GCM
Abstract
The Galois/Counter Mode of operation (GCM) is a widely used noncebased authenticated encryption with associated data mode which provides the birthdaybound security in the noncerespecting scenario; that is, it is secure up to about adversarial queries if all nonces used in the encryption oracle are never repeated, where is the block size. It is an open problem to analyze whether GCM security can be improved by using some simple operations. This paper presents a positive response for this problem. Firstly, we introduce two close to optimally secure pseudorandom functions and derive their security bound by the hybrid technique. Then, we utilize these pseudorandom functions that we design and a universal hash function to construct two improved versions of GCM, called OGCM1 and OGCM2. OGCM1 and OGCM2 are, respectively, provably secure up to approximately and adversarial queries in the noncerespecting scenario if the underlying block cipher is a secure pseudorandom permutation. Finally, we discuss the properties of OGCM1 and OGCM2 and describe the future works.
1. Introduction
Authenticated Encryption. An authenticated encryption (AE) mode is a cryptographic scheme which guarantees privacy and authenticity of the message concurrently. So far, a large number of AE schemes have emerged. Particularly, the CAESAR competition that started in 2012 promotes enormously the development of AE schemes. AE has been widely applied to many environments. According to the application requirements classification, this includes AE with associated data (AEAD) [1, 2], parallelizable AE [3–5], online AE [6–9], tweakable AE [9–14], deterministic AE [10, 15, 16], wide block AE [17], XORbased AE [18], and dedicated AE algorithms [19]. According to the design approaches classification, this includes generic composed AE [20], block cipherbased AE [3–6, 21], streamcipherbased AE [18, 22], permutationbased AE [23–26], keyedfunctionbased AE [27, 28], tweakable block cipherbased AE [9–14], and hybrid AE [17, 19, 29].
BirthdayBound Security and BeyondBirthdayBound Security. Most AE modes, such as [6, 7, 9, 20, 21, 26], just offer birthdaybound security; that is, they are secure up to roughly adversarial queries, where is the block size. The currently utilized block cipher is AES (the block size ). If AES is used in the block cipher modes of operation, 128bit security degrades into at most about 64bit security, which is unacceptable in some special environments. Therefore, it is vitally important to design AE modes that ensure beyondbirthdaybound (BBB) security. The socalled BBB security means that an AE mode is provably secure up to approximately adversarial queries, where is an integer. If an AE mode is provably secure up to roughly adversarial queries, we say that it provides optimal security. In order to achieve a stronger security (BBB security or optimal security), AE modes usually compromise the efficiency of the hardware and software implementation. For example, we often utilize multiple block ciphers or their sum to construct a BBBsecure pseudorandom function. The higher the number of invoking the underlying block cipher, the greater the cost. Therefore, the efficiency of BBBsecure AE modes is generally low. In recent years, AE modes that ensure BBB security appeared endless, such as [10–12, 22–24, 30–32].
Problem Statement. The Galois/Counter Mode of operation (GCM) [33] designed by McGrew and Viega is a noncebased AEAD scheme. GCM combines the counter mode used in the encryption part and the polynomial hash function used in the authentication part and is included in the block cipher AE modes of operation recommended by NIST. Its security depends on the noncerespecting setting that all nonces used in the encryption queries are distinct. Iwata et al. [34] pointed out that the previous claimed security was flawed and presented a new provable security, which was later improved by Niwa et al. [35]. GCM retains birthdaybound security and has better security bounds for 96bit nonces. For the attacks of GCM, Saarinen showed weak keys of GHASH and the cycling attacks on GCM in [36]. Other researches related to GCM include [37–44]. GCM has been widely applied in the IEEE 802.1AE Ethernet security, IEEE 802.11ad, IETF IPsec standards, SSH, TLS, and so on. GCM is proven to be secure up to roughly adversarial queries in the noncerespecting scenario, assuming that the underlying block cipher is a secure pseudorandom permutation. In other words, for AESGCM, its security guarantee is lost after at most only adversarial queries, which is not sufficiently secure in some special settings. Therefore, in this paper, we consider the question of whether we can design a scheme that provides better security (such as BBB security or optimal security) to improve the security guarantee of GCM.
Our Contributions. This paper gives a positive response for the above question. We first introduce a basic tool: close to optimally secure pseudorandom functions (PRFs) which are, respectively, designed by the Encrypted DaviesMeyer (EDM) [45] and EDM Dual (EDMD) [46] constructions. Then we construct two improved versions of GCM, called OGCM1 and OGCM2, which are parallelizable noncebased close to optimally secure AEAD modes. OGCM1 and OGCM2 are, respectively, provably secure up to approximately and adversarial queries in the noncerespecting scenario if the underlying block cipher is a secure pseudorandom permutation (PRP). In fact, they are based on the “EncryptionthenMAC” approach, where the encryption part utilizes a multiEDM or multiEDMD function to set up a close to optimally secure keystream generator and then the MAC part combines an EDM or EDMD construction and an almostXORuniversal (AXU) hash function to generate an authentication tag.
OGCM1 and OGCM2 balance the security and the efficiency of the software and hardware implementation. Take AESOGCM1 or AESOGCM2 as an example; that is, the underlying block cipher is instantiated with AES. First, from the point of view of security, they achieve at most about 107.9565bit or 121.9339bit security which is better than that of AESGCM (at most about 64bit security). In the noncerespecting scenario, they can encrypt at most plaintexts (as the nonce length is 96 bits) and the maximum block length of each plaintext is about blocks (64 GBytes). Second, from the point of view of efficiency, they invoke block ciphers and finitefield multiplications, where is the number of the plaintext blocks and is the number of the associated data blocks. Compared with AESGCM, the efficiency is about half of it. Therefore, AESOGCM1 and AESOGCM2 sacrifice the efficiency of the software and hardware implementation to achieve a strong security. The comparisons among AESGCM, AESOGCM1, and AESOGCM2 are shown in Table 1.

Organizations of This Paper. Some preliminaries are presented in Section 2. A basic tool is provided in Section 3. OGCM1 is described in Section 4. Security results of OGCM1 are derived in Section 5. OGCM2 and its security are shown in Section 6. Section 7 describes some discussions and future works. Finally, we end up with a conclusion in Section 8.
2. Preliminaries
Notations. Let be the set containing all finite strings (including an empty string ). For a finite string , stands for its length in bits and means the length of bit blocks for any integer , where denotes the operation that rounds up from a floatingpoint number to an integer. The bit zero string is written as . For two finite strings and , let or be the concatenation of them. If and are two equallength strings, let denote the XOR of them. For a finite string with , let be the most significant bit of . Given two positive integers and such that , let be the bit binary representation of . Let be the function for increment which takes an bit input and returns an incremented value mod . For , denotes that is incremented times. For a finite set , let denote the value randomly drawn from and let denote the number of elements in . Let be a set of all integers from to ; that is, . Let be an event that an adversary outputs 1 after interacting with the oracle .
Block Ciphers and Keyed Functions. A block cipher is a mapping , which takes a key and a plaintext as input and returns a ciphertext . For any fixed , is an bit permutation and its inverse is written as . Let be a set of all bit permutations. Suppose that is an adversary which has access to an encryption oracle. Let and ; then the PRPadvantage of against is defined as where the probabilities are taken over the random choices of and and also over internal coins of , if any. If is negligible, the underlying block cipher is a secure pseudorandom permutation (PRP).
A keyed function is a mapping , which takes a key and a plaintext as input and returns a ciphertext . For any fixed , is a function from to . Let be a set of all functions from to . If , we write . Suppose that is an adversary which has access to an encryption oracle. Let and ; then the PRFadvantage of against is defined as where the probabilities are taken over the random choices of and and also over internal coins of , if any. If is negligible, the underlying keyed function is a secure pseudorandom function (PRF).
If the resources owned by all adversaries are at most , the maximum advantage is defined as , where includes the running time , the total number of oracle queries , the maximum block length , and the total number of blocks in all queries (query complexity) .
Universal Hash Functions. Let ; a keyed hash function is a mapping which takes a key and a message as input and returns an output . We say is an almostXORuniversal (AXU) hash function, if, for any and , and, for any two distinct and , . If , is called an uniform AXU (AXU for short) hash function.
Finite Field. Given a basis, the finite field can be seen as the set . For an bit string , we can define a polynomial by , where for any . Hence, any integer between 0 and can also be viewed as a polynomial with binary coefficients of degree at most . For example, 2 corresponds to , 3 corresponds to , and 7 corresponds to . The addition in the field is the addition of polynomials over . We denote this operation by bitwise XOR, that is, , where . In order to define the multiplication operation over , we need to introduce an irreducible polynomial of degree over . For , . The multiplication of two elements and is defined as the corresponding polynomial multiplication over reduced modulo , that is mod .
Authenticated Encryption. A conventional noncebased authenticated encryption with associated data (AEAD) scheme consists of an encryption algorithm and a decryption algorithm ; that is, where is a key, is a nonce, is associated data, , is a plaintext, , is a ciphertext, , is a tag, , and is an error symbol which indicates the failure of the decryption oracle. iff . A secure AEAD scheme returns if it receives an error pair. If there is no associated data, is seen as an empty string.
3. Basic Tool: Close to Optimally Secure PRFs
3.1. MultiEncryptedDaviesMeyer (MultiEDM) Function
In this section, we set up a new function which is constructed from the EDM construction [45].
Assuming that and are two independent and random permutations on bit, we define a function as , where for , and . Note that we must ensure .
We have the following theorem for informationtheoretic security of the function .
Theorem 1. Let be an adversary with access to the function . Let be any threshold. Assuming that makes at most oracle queries, generating at most blocks, then the PRFadvantage of against is upperbounded by
The result of Theorem 1 shows that constructed by and achieves BBB security. If and , then the PRFadvantage of against is upperbounded by , which means that is a provably BBBsecure PRF up to approximately adversarial queries. If and , then the PRFadvantage of against is upperbounded by , which means that is a close to optimally secure PRF up to approximately adversarial queries.
The proof of Theorem 1 utilizes the hybrid technique. The security of the function can be reduced to the security of the EDM construction [46] which utilizes Patarin’s mirror theory.
Proof. Let and ; then the PRFadvantage of against the function is shown as follows: Let be a reduced EDM construction obtained by fixing bits. Let be an adversary which has access to the reduced EDM function or the random function and makes queries for the th . According to the security of the EDM construction, if and , we have We construct a hybrid function as follows. The first functions are and the rest of the functions are , that is, . If , then . If , then . Then the PRFadvantage of against is upperbounded by where the inequality is obtained by . The proof is finished.
3.2. MultiEDMDual (MultiEDMD) Function
In this section, we set up another new function which is constructed from the EDMD construction [46].
Assuming that and are two independent and random permutations on bit, we define a function as , where for , , , and .
We have the following theorem for informationtheoretic security of the function .
Theorem 2. Let be an adversary with access to the function . Assuming that makes at most oracle queries, generating at most blocks, then the PRFadvantage of against is upperbounded by
The proof of Theorem 2 is similar to that of Theorem 1. Therefore, here we omit it.
The result of Theorem 2 shows that constructed by and is a provably secure PRF up to approximately adversarial queries; that is, achieves close to optimal security. This is consistent with the views of Mennink and Neves [48].
4. OGCM1: Close to Optimally Secure Variant of GCM
In this section, we utilize the close to optimally secure PRF to build an improved variant of GCM, called OGCM1. OGCM1 achieves close to optimal security in the noncerespecting scenario assuming that the underlying block cipher is a secure PRP. OGCM1 is a twopass noncebased AEAD scheme employing the “EncryptionthenMAC” approach, where the encryption part utilizes the close to optimally secure PRF to set up a streamcipher encryption mode and the MAC part combines an AXU hash function and the EDM construction to generate an authentication tag.
Let be integers. Fix a block cipher and an AXU hash function ; the encryption algorithm of OGCM1 is described as , where is the key space, is the nonce space, is the associated data space, is the plaintext space, is the ciphertext space, and is the tag space. It takes the key , the nonce , the associated data , and the plaintext as input and returns the ciphertext and the tag , where and . The decryption algorithm of OGCM1 is the inverse of the encryption algorithm . It takes , and as input and returns either or a special symbol . Here always returns a failure of the decryption oracle.
The overview of OGCM1 is depicted in Figure 1. The encryption and decryption algorithms of OGCM1 are given in Algorithms 1, 2, and 3. We recommend restricting AESOGCM1 to 96bit nonces; that is, and .



5. Security of OGCM1
5.1. Security Models of AEAD Schemes
Privacy (confidentiality) and authenticity (integrity) are two important security metrics of AEAD modes. Let be an integer, be the key randomly drawn from , and be a noncebased AEAD scheme.
Privacy. Let be a random oracle that takes as input and returns a random string of length . Let be an adversary which has access to an oracle (either the encryption oracle or the random oracle ) and returns . We say that is a noncerespecting adversary if all nonces are always distinct for all encryption queries . Without loss of generality, we assume that is a noncerespecting adversary and never makes trivial queries for which their responses are obviously known. Then the PRIVadvantage of against is defined as
Authenticity. Let be an adversary which has access to the encryption oracle and the decryption oracle . Firstly, the adversary queries to and returns , where . Then forges a challenge query to . The forgery attempt succeeds if . Without loss of generality, we assume that is a noncerespecting adversary and never makes trivial queries for which their responses are obviously known. Then the AUTHadvantage of against is defined as
5.2. Main Results and Security Proofs
Assuming that the underlying block cipher is a secure PRP, OGCM1 achieves close to optimal security in the informationtheoretic setting. Detailedly speaking, the privacy and authenticity of OGCM1 are provably secure up to adversarial queries in the noncerespecting scenario if the underlying block cipher is a secure PRP. First, we present the privacy of OGCM1 as follows.
Theorem 3 (privacy of OGCM1). Let be a block cipher and be an AXU hash function, where and are two nonempty sets of keys. Let be a noncerespecting adversary which makes at most queries with the maximum block length and the running time to OGCM1. Then there exists another adversary against the PRPsecurity of , making at most oracle queries and running in time at most , such that, for any adversary ,
The proof of Theorem 3 includes two steps. Firstly, we replace and with two random and independent permutations on bit and , where and are randomly and independently drawn from . Let and let OGCM1[] be the new construction. By the hybrid argument, it is easy to show that there exists another adversary against the PRPsecurity of , making at most oracle queries and running in time at most , such thatThen, our goal is to upperbound . Therefore, we introduce Lemma 4 as follows.
Lemma 4. Let be two permutations randomly and independently chosen from . Let be a noncerespecting adversary which makes at most queries to OGCM1, generating at most blocks. Then, for any adversary ,
Proof. Our proof utilizes a contradiction argument. The main idea is as follows. If there exists a noncerespecting adversary against OGCM1 such that , then we can construct a noncerespecting adversary against such that , which derives a contradiction with Theorem 1. The details of our proof are described as follows.
Let be the encryption algorithm of OGCM1 and be a random function that takes as input and always returns a random string of length . Suppose, to the contrary, that there exists a noncerespecting adversary against OGCM1 such that where makes queries with the block length to OGCM1, generating blocks.
Let be a random function, where . Consider an adversary that makes queries to an oracle , either or , generating blocks, where uses as a subroutine (see Algorithm 4).
If is , then provides a perfect simulation of for . Therefore, . Similarity, if is , then provides a perfect simulation of the random function for . Therefore, . It follows that which contradicts Theorem 1. Therefore, our (contradiction) hypothesis does not hold; that is, the original proposition holds where The proof of Lemma 4 is finished.

Therefore, combining (12) and (13), the result of Theorem 3 is derived. The privacy of OGCM1 is secure up to adversarial queries in the noncerespecting scenario assuming that the underlying block cipher is a secure PRP. Next, we provide the authenticity of OGCM1.
Theorem 5 (authenticity of OGCM1). Let be a block cipher and be an AXU hash function, where and are two nonempty sets of keys. Let be a noncerespecting adversary which makes at most encryption queries and one forgery attempt to OGCM1. The maximum block length is and the running time is at most . Then there exists another adversary against the PRPsecurity of , making at most oracle queries and running in time at most , such that, for any adversary ,
The proof of Theorem 5 includes two steps. Firstly, we replace and with two random and independent permutations and . Let and let OGCM1 be the new construction. It is easy to show that there exists another adversary against the PRPsecurity of , making at most oracle queries and running in time at most , such thatNext, our goal is to upperbound . Therefore, we introduce Lemma 6 as follows.
Lemma 6. Let be an integer. Let be two permutations randomly and independently chosen from . Let be an AXU hash function. Let be a noncerespecting adversary which makes at most encryption queries and one forgery attempt to OGCM1, generating at most blocks. Then, for any adversary ,
Proof. We assume that the noncerespecting adversary makes one forgery attempt after encryption queries, generating at most blocks. Detailedly speaking, firstly makes queries to the encryption oracle and returns