GCM-SIV1.5: Optimal Tradeoff between GCM-SIV1 and GCM-SIV2

Abstract

GCM-SIV2 is a nonce-based beyond-birthday-bound (BBB)-secure authenticated encryption (AE) mode introduced by Iwata and Minematsu at FSE 2017. However, it is built by combining two instances of GCM-SIV1 and needs eight keys, which increases the costs of hardware and software implementation. This paper aims to reduce these costs by optimizing components (such as key materials, hash calls, and block cipher calls) and proposes an optimal tradeoff between GCM-SIV1 and GCM-SIV2 called GCM-SIV1.5. Moreover, we introduce the faulty nonce setting to AE and prove the BBB security of GCM-SIV1.5 with graceful security degradation in the faulty nonce setting by mirror theory. Finally, we discuss advantages of GCM-SIV1.5.

1. Introduction

The Galois Counter Mode (GCM) of operation introduced by McGrew and Viega is a very famous authenticated encryption (AE) mode [1]. Due to its friendly hardware implementation, superior software performance, no patent, and provable security, it has been widely used in high-speed network application environments. For example, GCM with the Advanced Encryption Standard (AES) has been used in IETF Transport Layer Security protocol TLS 1.3. Now, GCM has been included in the recommendations of NIST, ISO/IEC, IEEE, and IETF. As GCM is widely deployed, the CAESAR competition takes it as the baseline algorithm, which further promotes the research of GCM. There exist a large number of research results related to GCM [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16].

GCM is a nonce-based AE mode. It takes a nonce as an extra input and requires that the nonce used in the encryption oracle is distinct (nonce-respecting setting). If the nonce length is restricted to 96 bits, GCM is provably birthday-bound secure up to approximately $2^{n/2}$ adversarial queries in the nonce-respecting setting [3,5], where n is the block-size of the underlying block cipher.

However, the nonce-respecting assumption does not fit the actual situation. The nonce is often misused in real life, bringing serious security threats. Joux found that, if the nonce is misused, then the hash key of GCM can be leaked and the leaked hash key can be utilized to achieve a universal forgery attack [2]. To settle the nonce misuse problem of GCM at little cost, Gueron and Lindell introduced a nonce-misuse-resistant AE (NMAE or MRAE) scheme GCM-SIV at CCS 2015 [11]. GCM-SIV covers GCM components and follows the SIV approach by Rogaway and Shrimpton [17]. In fact, as the syntax and the security model of NMAE became formalized, more and more NMAE schemes were proposed, such as [11,12,13,14,15,16,17,18,19,20,21,22,23]. GCM-SIV is just the first NMAE scheme that introduces SIV into GCM. GCM-SIV is proven secure even if the nonce is repeated. In 2016, Iwata and Minematsu pointed out that there exists a trivial distinguishing attack with approximately $2^{(n-k)/2}$ adversarial queries in GCM-SIV, where k is the bits of keys, and then presented an improved variant of GCM-SIV, called GCM-SIV1, which is proven secure up to $2^{n/2}$ (birthday bound) adversarial queries in the nonce misuse setting [12]. Furthermore, they considered a stronger security bound, and then proposed beyond-birthday-bound (BBB)-secure GCM-SIVr schemes that combine $r\ge 2$ instances of GCM-SIV1. BBB indicates that cryptographic schemes can resist beyond $O\left(2^{n/2}\right)$ adversarial queries. The BBB-secure AE schemes are very rich, such as CHM [24], GCM-SIVr [12], SCT [20], ZAE [21], and PFBw [25]. GCM-SIVr is proven BBB-secure against $O\left(2^{\frac{rn}{r+1}}\right)$ adversarial queries in the nonce misuse setting. Later, an updated variant of GCM-SIV called AES-GCM-SIV was proposed by Gueron et al., and AES-GCM-SIV was eventually accepted as a recommended standardization of IETF Crypto Forum Research Group [13,15]. Iwata and Seurin also made some important contributions to the promotion of standardization. They pointed out the problems in the earlier version, corrected them, and gave some suggestions for improving the key derivation function [14]. These problems and suggestions are accepted to further improve AES-GCM-SIV [15]. Unlike GCM-SIV, AES-GCM-SIV utilizes a key derivation function to generate the hash key and the encryption key, utilizes POLYVAL instead of GHASH, and invokes the full authentication tag as an initial counter. At Eurocrypt 2018, Bose et al. further considered the multi-user security, faster key derivation, and better bounds of AES-GCM-SIV [16].

Although there exists a large amount of research literature on the nonce misuse setting, the number of nonce misuse is often described vaguely. An effective measure of nonce misuse is the maximum number of its multi-collisions. To specify the level of nonce misuse, Dutta et al. introduced a quantitative index of nonce misuse for message authentication code (MAC) algorithms called the number of faulty nonces [23]. In the faulty nonce setting, a query is called as a faulty query if the nonce in this query is the same as the nonce in the previous queries, i.e., the nonce is re-used. The symbol $\mu$ is usually used to indicate the number of faulty nonces. Therefore, the faulty nonce setting covers nonce-respecting and nonce misuse settings. For an adversary that makes, at most, $\mu$ faulty queries, (1) if $\mu =0$, then the adversary is called a nonce-respecting adversary; (2) if $\mu \ge 1$, then the adversary is called a nonce-misusing adversary. Dutta et al. presented a nonce-based MAC scheme, nEHtM, that ensures BBB security with graceful degradation in the faulty nonce setting [23]. Furthermore, they introduced an nEHtM-based AE scheme, CWC+, whose privacy is optimally secure in the nonce-respecting setting and whose authenticity is BBB-secure with graceful degradation in the faulty nonce setting. To ensure the faulty nonce misuse resistance of privacy and authenticity, Choi et al. introduced the first fully faulty nonce-misuse-resistant AE scheme SCM [22]. It utilizes a hash key and three encryption keys. From the perspective of the security, SCM ensures close-to optimal n-bit security in the nonce-respecting setting and supports graceful BBB security degradation (not only for privacy but also for authenticity) in the faulty nonce setting. In recent years, the research about the faulty nonce-misuse-resistant schemes mainly focuses on MACs [26,27]. This paper aims to introduce the faulty nonce setting to GCM-SIVr, and presents an improved AE scheme that ensures full BBB security with graceful degradation in the faulty nonce setting and utilizes as few keys as possible.

Our Contribution. We focus on the optimization of GCM-SIVr in the faulty nonce setting, and propose an optimal tradeoff between GCM-SIV1 and GCM-SIV2 called GCM-SIV1.5, which ensures full BBB security with graceful degradation in the faulty nonce setting. Specifically, our contribution includes:

• From the point of view of the design, we introduce a BBB-secure sum of permutation (SoP) construction to encryption and authentication parts of GCM-SIV1.5, which makes GCM-SIV1.5 BBB secure. GCM-SIV1.5 follows “MAC-then-Encrypt” (MtE). The authentication part of GCM-SIV1.5 utilizes the construction $F_{B2}^{SoP}$ proposed by Chen et al. [27] to ensure BBB security, and the encryption part of GCM-SIV1.5 is generated by SoP-based counter mode with an initial vector and a nonce $CT{R}^{SoP}$ to provide BBB security. Moreover, to minimize costs of key management and implementation on software and hardware, and to maximize the running speed, GCM-SIV1.5 just utilizes two block cipher keys and a hash key, invokes a hash function and twice plaintext blocks, and generates an authentication tag. More importantly, all encryption operations involving the nonce can be carried out offline, which saves half of the online computing resources.
• From the point of view of the security, we prove that GCM-SIV1.5 enjoys BBB security with graceful degradation in the nonce faulty setting by using mirror theory, alternating events lemma, and the H-coefficient technique. Assuming that the underlying block cipher is a secure pseudorandom permutation (PRP) and the hash function is XOR-universal, then GCM-SIV1.5 is proven secure up to approximately $3n/4$-bit query complexity and approximately n-bit forgery attempts for $\mu$-nonce faulty adversaries with $\mu \le 2^{n/4}$. In the real world, if the underlying block cipher is instantiated with AES-128, then GCM-SIV1.5 achieves, at most, approximately 96-bit security for $\mu$-nonce faulty adversaries with $\mu \le 2^{32}$.

In order to better demonstrate the superiority of our design, we give a fair and thorough comparison between GCM-SIV1.5 and existing typical blockcipher-based AE schemes from the following aspects: the depended assumption (PRP means pseudorandom permutation, PRF means pseudorandom function, TPRP means tweakable PRP, and ICM means ideal cipher model), the number of the encryption keys (#Encryption keys), the number of the hash keys (#Hash keys), the number of the underlying primitive (block cipher) calls (#Primitive calls), the number of the hash calls (#Hash calls), the sizes of the authentication tag and nonce, security bound under the nonce-respecting scenario (NR security), security bound under the nonce misuse scenario (NM security), and graceful degradation. The details are shown in

Table 1. Comparison between GCM-SIV1.5 and existing typical nonce-based AE schemes, where PRP means pseudorandom permutation, PRF means pseudorandom function, TPRP means tweakable PRP, ICM means ideal cipher model, # means counting, m is blocks of the plaintext, a is blocks of associated data, and n is the block-size of the underlying primitive.

	Assumption	#Encryption Keys	#Hash Keys	#Primitive Calls	#Hash Calls
GCM [5]	PRP	1	1	$m+1$	1
ELmD [19]	PRP	1	0	$a+2m+2$	0
OCB3 [28]	PRP	1	1 ${}^1$	$a+m+2$	1 ${}^2$
$\mathsf{\Theta }$CB3 [28]	TPRP	1	1 ${}^1$	$a+m+1$	1 ${}^2$
mGCM [29]	PRP	1	1	$m+1$	1
GCM-SIV [11]	PRF	2	1	$m+1$	1
AES-GCM-SIV [15]	ICM	1 ${}^3$	1 ${}^4$	$m+1$	1
GCM-SIV1 [12]	PRP	2	1	$m+1$	1
GCM-SIV2 [12]	PRP	6	2	$2m+4$	2
GCM-SIVr [12]	PRP	$r^2+r$	r	$rm+r^2$	r
CWC+ [23]	PRP	1	1 ${}^5$	$m+3$	1
SCM [22]	PRP	3	1	$m+5$	1
GCM-SIV1.5	PRP	2	1	$2m+2$	1
	Tag Size	Nonce Size	NR Security	NM Security	Graceful Degradation
GCM [5]	≤n	$3n/4$	$O\left(2^{n/2}\right)$	-	×
ELmD [19]	n	n	$O\left(2^{n/2}\right)$	$O\left(2^{n/2}\right)$	×
OCB3 [28]	≤n	≤n	$O\left(2^{n/2}\right)$	-	×
$\mathsf{\Theta }$CB3 [28]	≤n	≤n	$O\left(2^n\right)$	-	×
mGCM [29]	n	n	$O\left(2^n\right)$	-	×
GCM-SIV [11]	n	n	$O\left(2^{n/2}\right)$	$O\left(2^{n/2}\right)$	×
AES-GCM-SIV [15]	n	$3n/4$	$O\left(2^{3n/4}\right)$	$O\left(2^{n/2}\right)\sim O\left(2^{3n/4}\right)$	✔
GCM-SIV1 [12]	n	n	$O\left(2^{n/2}\right)$	$O\left(2^{n/2}\right)$	×
GCM-SIV2 [12]	$2n$	n	$O\left(2^{2n/3}\right)$	$O\left(2^{2n/3}\right)$	×
GCM-SIVr [12]	$rn$	n	$O\left(2^{rn/r+1}\right)$	$O\left(2^{rn/r+1}\right)$	×
CWC+ [23]	≤n	$3n/4$	$O\left(2^{2n/3}\right)$	$O\left(2^{n/2}\right)\sim O\left(2^{2n/3}\right){}^6$	✔
SCM [22]	n	$n-2$	$O\left(2^n\right)$	$O\left(2^{n/2}\right)\sim O\left(2^n\right)$	✔
GCM-SIV1.5	n	$3n/4$	$O\left(2^{3n/4}\right)$	$O\left(2^{n/2}\right)\sim O\left(2^{3n/4}\right)$	✔

¹ The hash key is the encryption key. ² The hash function is achieved by invoking a underlying primitives. ³ The encryption key is generated by invoking a key derivation function. ⁴ The hash key is generated by invoking a key derivation function. ⁵ The hash key is generated by the encryption key. ⁶ This security bound is just that of authenticity. The privacy of CWC₊ is insecure in the nonce misuse setting.

. Compared with GCM-SIV, GCM-SIV1, GCM-SIV2, and GCM-SIVr, GCM-SIV1.5 utilizes fewer keys, fewer blockcipher and hash calls, and shorter sizes, provides a better security bound, and supports graceful security degradation. Therefore, GCM-SIV1.5 reduces the costs of key management and communication throughput, increases the running speed, and ensures a graceful security. Compared with CWC+, GCM-SIV1.5 provides a better security bound and supports fully faulty nonce misuse resistance and graceful security degradation for both privacy and authenticity. Compared with SCM, GCM-SIV1.5 saves an encryption key, supports offline operations involving the nonce’s encryption, and saves half of the online computing resources. In a word, our design has an excellent comprehensive performance.

The rest of this paper is organized as follows. Section 2 presents some preliminaries. Section 3 introduces mirror theory and its graph description. Section 4 shows the decomposition of nAE security. Section 5 described GCM-SIVr. Section 6 proposes our construction, GCM-SIV1.5. Section 7 derives the security proof. Section 8 concludes this paper.

2. Preliminaries

Notations. Some notations are described in

Table 2. Descriptions of notations.

Notations	Descriptions
⊕	the bitwise exclusive or (XOR)
+	addition modulo $2^n$
·	the multiplication over the finite field
$\left|\right|$	the concatenation of strings
${\{0,1\}}^{*}$	a set of all strings (including an empty string)
${\{0,1\}}^n$	a set of all strings whose bit-length is n
$Perm\left(n\right)$	a set of all permutations whose workspace is n
$Func(m,n)$	a set of all functions from m-bit inputs to n-bit outputs
$K\twoheadleftarrow \mathcal{K}$	the key K randomly sampled from the key space $\mathcal{K}$
${\mathcal{A}}^O=1$	an event where an adversary $\mathcal{A}$ outputs 1 after interacting with the oracle O
${\left[i\right]}_m$	an m-bit binary representation of an integer i
$\left[r\right]$	a set of consecutive integers $\{1,2,\cdots ,r\}$
$\left|X\right|$	the number of elements in the set X
${\left(2^n\right)}_q$	$2^n·(2^n-1)\cdots (2^n-q+1)$

.

Nonce-Based Authenticated Encryption (nAE). A nonce-based authenticated encryption (nAE) with associated data scheme $\mathsf{\Pi }=(\mathcal{K},\mathcal{E},\mathcal{D})$ consists of an encryption algorithm $\mathcal{E}$ and a decryption algorithm $\mathcal{D}$, where $\mathcal{K}$ is a non-empty set of keys. Let $K\in \mathcal{K}$. The encryption algorithm $\mathcal{E}$ takes a key K, a nonce N, associated data A, and a message M as the input and outputs a ciphertext and an authentication tag $(C,T)={\mathcal{E}}_K(N,A,M)$. The decryption algorithm $\mathcal{D}$ takes a key K, a nonce N, associated data A, a ciphertext C, and an authentication tag T as the input and outputs a message or a reject symbol $M/\perp ={\mathcal{D}}_K(N,A,C,T)$. Here, ${\mathcal{D}}_K(N,A,{\mathcal{E}}_K(N,A,M))=M$.

An nAE adversary $\mathcal{A}$ has access to encryption and decryption oracles $({\mathcal{E}}_K,{\mathcal{D}}_K)$ or random and reject oracles $(\mathrm{\$},\perp )$, whose goal is to distinguish them. The random oracle $ takes $(N,A,M)$ as the input and always outputs random strings $(C,T)\twoheadleftarrow {\{0,1\}}^{\left|M\right|+\left|T\right|}$. The reject oracle ⊥ takes $(N,A,C,T)$ as the input and always outputs a reject symbol ⊥. The nAE advantage of $\mathcal{A}$ against $\mathsf{\Pi }$ is defined as

$$\begin{array}{cc}\hfill Ad{v}_{\mathsf{\Pi }}^{nAE}\left(\mathcal{A}\right)& =|Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K}=1]-Pr[{\mathcal{A}}^{\mathrm{\$},\perp }=1]|.\hfill \end{array}$$

We assume that $\mathcal{A}$ makes q encryption queries $(N^1,A^1,M^1),\cdots ,(N^q,A^q,M^q)$ to ${\mathcal{E}}_K$ and returns $(C^1,T^1),\cdots ,(C^q,T^q)$, and then makes $q_v$ forgery attempts $(N^{\prime 1},A^{\prime 1},C^{\prime 1},T^{\prime 1}),\cdots$, $(N^{\prime q_v},A^{\prime q_v},C^{\prime q_v},T^{\prime q_v})$ to ${\mathcal{D}}_K$. For a nonce-based AE scheme, we call an AE query a faulty query if $\mathcal{A}$ has already queried its oracle with the same nonce, and assume that $\mathcal{A}$ can be allowed to make, at most, $\mu$ faulty queries. Then, $\mu =0$ ($N^1,\cdots ,N^q$ are distinct) corresponds to the nonce-respecting setting and $\mu \ge 1$ (there exists at least one collision in $N^1,\cdots ,N^q$) corresponds to the nonce misuse setting.

Nonce-Based Encryption (nE). A nonce-based encryption (nE) scheme $\mathbf{E}=({\mathcal{K}}_{\mathbf{E}},\mathbf{E}-\mathcal{E},\mathbf{E}-\mathcal{D})$ consists of an encryption algorithm $\mathbf{E}-\mathcal{E}$ and a decryption algorithm $\mathbf{E}-\mathcal{D}$. The encryption algorithm $\mathbf{E}-\mathcal{E}$ takes a key $K_{\mathbf{E}}$, a nonce N, associated data A, and a message M as the input and outputs a ciphertext $C=\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}(N,A,M)$. The decryption algorithm $\mathbf{E}-\mathcal{D}$ takes a key $K_{\mathbf{E}}$, a nonce N, associated data A, and a ciphertext C as the input and outputs a message $M=\mathbf{E}-{\mathcal{D}}_{K_{\mathbf{E}}}(N,A,C)$. Here, $\mathbf{E}-{\mathcal{D}}_{K_{\mathbf{E}}}(N,A,\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}(N,A,M))=M$.

An nE adversary $\mathcal{A}$ has access to encryption oracle $\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}$ or a random oracle $, whose goal is to distinguish them. The random oracle $ takes $(N,A,M)$ as the input and always outputs random strings $C\twoheadleftarrow {\{0,1\}}^{\left|C\right|}$. We define the nE-advantage of $\mathcal{A}$ as

$$\begin{array}{c}\hfill Ad{v}_{\mathbf{E}}^{nE}\left(\mathcal{A}\right)=|Pr[K_{\mathbf{E}}\twoheadleftarrow {\mathcal{K}}_{\mathbf{E}}:{\mathcal{A}}^{\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}}=1]-Pr[{\mathcal{A}}^{\mathrm{\$}}=1]|.\end{array}$$

Pseudo-Random Function (PRF). Let $F:{\mathcal{K}}_F\times {\{0,1\}}^m\to {\{0,1\}}^n$ be a keyed function, where ${\mathcal{K}}_F$ is a non-empty set of keys. It takes $K\in {\mathcal{K}}_F$ and $X\in {\{0,1\}}^m$ as the input, and returns $Y=F_K\left(X\right)\in {\{0,1\}}^n$. Let $R\twoheadleftarrow Func(m,n)$.

A PRF adversary $\mathcal{A}$ has access to encryption oracle $F_K$ or a random oracle R, whose goal is to distinguish them. The PRF advantage of an adversary $\mathcal{A}$ is defined as

$$\begin{array}{c}\hfill Ad{v}_F^{prf}\left(\mathcal{A}\right)=|Pr[K\twoheadleftarrow {\mathcal{K}}_F:{\mathcal{A}}^{F_K}=1]-Pr[{\mathcal{A}}^R=1]|.\end{array}$$

Pseudo-Random Permutation (PRP). Let $E:{\mathcal{K}}_E\times {\{0,1\}}^n\to {\{0,1\}}^n$ be a block cipher, where ${\mathcal{K}}_E$ is a non-empty set of keys. It takes a key $K\in {\mathcal{K}}_E$ and a plaintext block $M\in {\{0,1\}}^n$ as the input, and returns a ciphertext block $C=E_K\left(M\right)$. For each key $K\in {\mathcal{K}}_E$, the function $E_K:{\{0,1\}}^n\to {\{0,1\}}^n$ is a permutation, i.e., $E_K\in Perm\left(n\right)$. Let $P\twoheadleftarrow Perm\left(n\right)$.

A PRP adversary $\mathcal{A}$ has access to encryption oracle $E_K$ or a random permutation oracle P, whose goal is to distinguish them. The PRP advantage of an adversary $\mathcal{A}$ is defined as

$$\begin{array}{c}\hfill Ad{v}_E^{prp}\left(\mathcal{A}\right)=|Pr[K\twoheadleftarrow {\mathcal{K}}_E:{\mathcal{A}}^{E_K}=1]-Pr[{\mathcal{A}}^P=1]|.\end{array}$$

AXU Hash Functions [22,26,27,30]. Let $H:{\mathcal{K}}_H\times {\{0,1\}}^{*}\to {\{0,1\}}^n$ be a hash function, where ${\mathcal{K}}_H$ is a non-empty hash key space. Let L be a hash key randomly drawn from ${\mathcal{K}}_H$. If, for any distinct $x,x^{\prime }\in {\{0,1\}}^{*}$ and $y\in {\{0,1\}}^n$, it holds that

$$\begin{array}{c}\hfill Pr[H_L\left(x\right)\oplus H_L\left(x^{\prime }\right)=y]\le ϵ,\end{array}$$

then H is called $ϵ$ almost XOR universal ($ϵ$-AXU). If $ϵ=2^{-n}$, H is called an XOR universal (XU) hash function.

Alternating Events Lemma [26,27,30]. For bounding the probability of an alternating event, such as

$$\begin{array}{c}\hfill H_L\left(x_i\right)=H_L\left(x_j\right)\wedge H_{L^{\prime }}\left(x_j\right)=H_{L^{\prime }}\left(x_k\right)\wedge H_L\left(x_k\right)=H_L\left(x_l\right),\end{array}$$

the alternating events lemma is a vital technique in the security proofs.

Lemma 1

(Alternating Events Lemma [26,27,30]). Let $q_i,q_j,q_k,q_l,q$ such that $q_i,q_j,q_k,q_l\le q$. Let $X^q=(X_1,\cdots ,X_q)$ be a q-tuple of random variables, and let $X^{q_i},X^{q_j},X^{q_k},X^{q_l}\subseteq X^q$. For distinct $i\in \left[q_i\right],j\in \left[q_j\right]$, let $E_{i,j}$ be events associated with $X_i\in X^{q_i}$ and $X_j\in X^{q_j}$, possibly dependent, which all hold with a probability of, at most, ϵ. For distinct $i\in \left[q_i\right],j\in \left[q_j\right],$$k\in \left[q_k\right],l\in \left[q_l\right]$, let $F_{i,j,k,l}$ be events associated with $X_i\in X^{q_i},X_j\in X^{q_j},X_k\in X^{q_k}$ and $X_l\in X^{q_l}$, which all hold with a probability of, at most, ${ϵ}^{\prime }$. Moreover, the collection of events ${\left(F_{i,j,k,l}\right)}_{i,j,k,l}$ is independent with the collection of event ${\left(E_{i,j}\right)}_{i,j}$. Then, there exist $i\in \left[q_i\right],j\in \left[q_j\right],k\in \left[q_k\right],l\in \left[q_l\right]$ such that

$$\begin{array}{c}\hfill Pr[E_{i,j}\wedge E_{k,l}\wedge F_{i,j,k,l}]\le \sqrt{q_i{q}_j{q}_k{q}_l}ϵ\sqrt{{ϵ}^{\prime }}.\end{array}$$

H-coefficient Technique [31]. Patarin’s H-coefficient technique is one of the very useful approaches to upper bound the distinguishing advantage of a cryptographic scheme. Given a real system X and an ideal system Y, let $\mathcal{A}$ be a deterministic adversary whose goal is distinguish X from Y. $\mathcal{A}$ interacts with X and Y and a series of query–response pairs are recorded as a transcript $\tau$. Let $\mathcal{T}$ be the set of all possible transcripts. Let $X_{re}$ be the random variable interacting with the real system X and $Y_{id}$ be the random variable interacting with the ideal system Y. Then, the H-coefficient lemma is presented as follows.

Lemma 2

(H-coefficient Lemma). Let $\mathcal{T}={\mathcal{T}}_{good}\cup {\mathcal{T}}_{bad}$ and $\epsilon ,\delta \in [0,1]$. If $Pr[Y_{id}\in {\mathcal{T}}_{bad}]\le \epsilon$ and for all $\tau \in {\mathcal{T}}_{good}$, $Pr[X_{re}=\tau ]/Pr[Y_{id}=\tau ]\ge 1-\delta$, then

$$\begin{array}{c}\hfill |Pr[{\mathcal{A}}^X=1]-Pr[{\mathcal{A}}^Y=1]|\le \epsilon +\delta .\end{array}$$

If an adversary makes q queries to an oracle O and obtains a transcript $\tau =\{(x_1,y_1),$⋯, $(x_q,y_q)\}$, then we say that the oracle O extends the transcript $\tau$ and write it as $O⊢\tau$, i.e., if $O\left(x_i\right)=y_i$ for all $i\in \left[q\right]$, then $O⊢\tau$.

3. Mirror Theory

Patarin’s mirror theory is a vital tool for bounding the number of solutions of affine systems of multivariate equations or non-equations, which can be applied in the security proofs of BBB-secure cryptographic schemes [27,32,33,34,35]. Here, we consider an affine system of bi-variate equations.

Let $G=<V_1,V_2,E,W>$ be a bipartite graph satisfying the following affine system of bi-variate equations $\mathcal{E}$:

$$\begin{array}{c}\hfill \left\{\begin{array}{c}{X}_1\oplus Y_1={\lambda }_1\hfill \\ X_2\oplus Y_2={\lambda }_2\hfill \\ \cdots \cdots \cdots \cdots \cdots \hfill \\ X_q\oplus Y_q={\lambda }_q\hfill \end{array}\right.\end{array}$$

where $X_i\ne Y_j\in {\{0,1\}}^n$ for any i and j, and let the vertex sets $V_1,V_2$, the edge set E, and the weighted (labeled) function W be

$$\begin{array}{cc}\hfill & V_1=\{X_1,,\cdots ,X_q\},V_2=\{Y_1,\cdots ,Y_q\},\hfill \\ \hfill & E=\{e_i=(X_i,Y_i),i\in \left[q\right]\},\hfill \\ \hfill & W:E\to {\{0,1\}}^n\setminus \left\{0^n\right\},andW\left(e_i\right)={\lambda }_i,i\in \left[q\right].\hfill \end{array}$$

We assume that G can be divided into $\alpha$ components with more than two vertexes and $\beta$ components with just two vertexes, i.e., $G=C_1\cup \cdots \cup C_{\alpha }\cup D_1\cup \cdots \cup D_{\beta }$.

For a bipartite graph G, we say that G is good if it satisfies the following conditions:

• Acylic. G must contain no cycle.
• Non-zero path label (NPL). $W\left(\mathcal{P}\right)\ne 0$ for all paths $\mathcal{P}$ with an even length in the graph G, where $W\left(\mathcal{P}\right)={\sum }_{e\in \mathcal{P}}W\left(e\right)$.

Lemma 3

(Bipartite Graph Description of Mirror Theory [27,35]). Let $G=<V_1,V_2,E,W>$ be a good bipartite graph induced by $\mathcal{E}$, and $|V_1|=q^{\prime }\le q,|V_2|=q^{″}\le q,\left|E\right|=q$. Let $q_c$ be the total edges of components with more than two vertexes. Then, the number of solutions to $\mathcal{E}$ that are chosen from ${\{0,1\}}^n$ is at least

$$\begin{array}{c}\hfill \frac{{\left(2^n\right)}_{q^{\prime }}{\left(2^n\right)}_{q^{″}}}{2^{nq}}(1-\delta ),\end{array}$$

where

$$\begin{array}{c}\hfill \delta =\frac{9q_c^2}{8·2^n}+\frac{9q_c^{2}q+12q_c{q}^2+8q^2}{8·2^{2n}}+\frac{8q^4}{3·2^{3n}}.\end{array}$$

4. Decomposition of nAE Security

Namprempre et al. explored the generic composition of nAE and revealed the decomposition of nAE (security) from IV-based or nonce-based encryption and an MAC [36]. Now, let us focus on N3 type nAE schemes.

An N3 type nAE scheme $\mathsf{\Pi }=(\mathcal{K},\mathcal{E},\mathcal{D})$ consists of a PRF $\mathbf{F}$ and an nE scheme $\mathbf{E}$, where $\mathcal{K}$ is the key space, $\mathcal{E}$ is the encryption algorithm, and $\mathcal{D}$ is the decryption algorithm. Given $K=(K_{\mathbf{F}},K_{\mathbf{E}})\stackrel{\mathrm{\$}}{\leftarrow }\mathcal{K}={\mathcal{K}}_{\mathbf{F}}\times {\mathcal{K}}_{\mathbf{E}}$, $\mathcal{E}$ takes $(N,A,M)$ as the input and returns $(C,T)={\mathcal{E}}_K(N,A,M)$. To be specific, first let $T={\mathbf{F}}_{K_{\mathbf{F}}}(N,A,M)$, and then $C=\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}(N,T,M)$. $\mathcal{D}$ takes $(N,A,C,T)$ as the input and returns $M/\perp ={\mathcal{D}}_K(N,A,C,T)$. To be specific, first let $M=\mathbf{E}-{\mathcal{D}}_{K_{\mathbf{E}}}(N,T,C)$ and $T^{\prime }={\mathbf{F}}_{K_{\mathbf{F}}}(N,A,M)$, and then return M if $T=T^{\prime }$ and ⊥ otherwise.

Type N3 nAE is secure if its tag generation function is a PRF and if the nE scheme is secure [36]. We assume that an adversary $\mathcal{A}$ makes, at most, q encryption queries and $q_v$ forgery attempts; then, the security of $\mathsf{\Pi }$ is shown in the following lemma.

Lemma 4

(Decomposition of nAE Security [36]). Let $\mathit{F}:{\mathcal{K}}_{\mathit{F}}\times \mathcal{N}\times \mathcal{H}\times \mathcal{M}\to \mathcal{T}$ be a tag generation function and $\mathit{E}:{\mathcal{K}}_{\mathit{E}}\times \mathcal{N}\times \mathcal{T}\times \mathcal{M}\to \mathcal{C}$ be an nE scheme, where $\mathcal{T}={\{0,1\}}^{\tau }$. Let $\mathsf{\Pi }=(\mathcal{K},\mathcal{E},\mathcal{D})$ be an N3 type nAE scheme constructed by $\mathit{F}$ and $\mathit{E}$. Let $\mathcal{A}$ be an nAE-adversary. Then, there are two adversaries, $\mathcal{B}$ and $\mathcal{C}$, such that

$$\begin{array}{c}\hfill Ad{v}_{\mathsf{\Pi }}^{nAE}\left(\mathcal{A}\right)\le Ad{v}_{\mathit{F}}^{prf}\left(\mathcal{B}\right)+Ad{v}_{\mathit{E}}^{nE}\left(\mathcal{C}\right)+\frac{q_v}{2^{\tau }}.\end{array}$$

The above lemma shows that the security proofs of nAE schemes are reduced to the security proofs of the PRF and the nE scheme.

5. GCM-SIVr

Let us first review the specification of GCM-SIVr [12], where $r\ge 1$ is an integer. It utilizes a block cipher $E:{\mathcal{K}}_E\times {\{0,1\}}^n\to {\{0,1\}}^n$ and a hash function $H:{\mathcal{K}}_H\times {\{0,1\}}^{*}\to {\{0,1\}}^n$. The encryption algorithm $\mathcal{E}$ of GCM-SIVr takes a key $K=(L_1,\cdots ,L_r,K_1^{\prime },\cdots ,K_{r^2}^{\prime }$, $K_1,\cdots ,K_r)\in {\left({\mathcal{K}}_H\right)}^r\times {\left({\mathcal{K}}_E\right)}^{r^2+r}$, a nonce N, associated data A, and a plaintext M as the input, and returns a ciphertext C and an authentication tag $T=T_1\left|\right|\cdots \left|\right|T_r$, i.e., $(C,T_1\left|\right|\cdots \left|\right|T_r)={\mathcal{E}}_K(N,A,M)$. The decryption algorithm $\mathcal{D}$ of GCM-SIVr takes K, N, A, C, and T as the input, and returns $M/\perp ={\mathcal{D}}_K(N,A,C,T)$. The details are shown in Algorithms 1–5. GCM-SIV1 and GCM-SIV2 are degraded versions of GCM-SIVr when $r=1$ and 2.

Algorithm 1 The key generation algorithm: $\mathcal{KG}$

Input: a key parameter k Output: a key $K=(L_1,\cdots ,L_r,K_1^{\prime },\cdots ,K_{r^2}^{\prime },K_1,\cdots ,K_r)$ $(L_1,\cdots ,L_r,K_1^{\prime },\cdots ,K_{r^2}^{\prime },K_1,\cdots ,K_r)\stackrel{\mathrm{\$}}{\leftarrow }{\left({\mathcal{K}}_H\right)}^r\times {\left({\mathcal{K}}_E\right)}^{r^2+r}$ return$K=(L_1,\cdots ,L_r,K_1^{\prime },\cdots ,K_{r^2}^{\prime },K_1,\cdots ,K_r)$

Algorithm 2 The encryption algorithm: $\mathcal{E}$

Input: a key K, a nonce N, associated data A, and a plaintext M Output: a ciphertext C and a tag T Partition M into $M_1\parallel \cdots \parallel M_m$, $|M_i|=n,1\le i\le m-1,0<|M_m|\le n$ for$i=1$tordo      $V_i=H_{L_i}(N,A,M)=GHAS{H}_{L_i}(A,M)\oplus N$      $T_i=0^n$ endfor for$i=1$tordo    for $j=1$ to r do       $T_i=T_i\oplus E_{K_{i+r(j-1)}^{\prime }}\left(V_j\right)$    endfor endfor for$i=1$tordo      $S_i=CT{R}_{K_i}(T_i,m)$      $M=M\oplus ms{b}_{\left|M\right|}\left(S_i\right)$ endfor $C\leftarrow M$ $T=T_1\left|\right|\cdots \left|\right|T_r$ return$(C,T)$

Algorithm 3 The decryption algorithm: $\mathcal{D}$

Input: a key K, a nonce N, associated data A, a ciphertext C, and a tag T Output: a plaintext M or ⊥ Partition C into $C_1\parallel C_2\parallel \cdots \parallel C_m$, $|C_i|=n,1\le i\le m-1,0<|C_m|\le n$ for$i=1$tordo      $S_i=CT{R}_{K_i}(T_i,m)$      $C=C\oplus ms{b}_{\left|C\right|}\left(S_i\right)$ endfor $M\leftarrow C$ for$i=1$tordo      $V_i=H_{L_i}(N,A,M)=GHAS{H}_{L_i}(A,M)\oplus N$      $T_i=0^n$ endfor for$i=1$tordo    for $j=1$ to r do       $T_i=T_i\oplus E_{K_{i+r(j-1)}^{\prime }}\left(V_j\right)$    endfor endfor $T^{\prime }=T_1\left|\right|\cdots \left|\right|T_r$ if$T^{\prime }=T$, returnM else return ⊥ (INVALID) endif

Algorithm 4 GHASH algorithm: $GHAS{H}_L(A,M)$

Input: a key L, associated data A, and a plaintext M Output: a hash value h $A^{+}\leftarrow A\left|\right|0^{n-\left|A\right|modn}$, $M^{+}\leftarrow M\left|\right|0^{n-\left|M\right|modn}$ $X\leftarrow A^{+}\left|\right|M^{+}{\left|\right|\left[\right|A\left|\right]}_{n/2}{\left|\right|\left[\right|M\left|\right]}_{n/2}$ $X_1\parallel \cdots \parallel X_x\leftarrow X$, $|X_i|=n,1\le i\le x$ $h\leftarrow 0$ for$i=1$toxdo       $h\leftarrow (h\oplus X_i)·L$ endfor returnh

Algorithm 5 CTR algorithm: $CT{R}_K(T,m)$

Input: a key K, an initial vector T, and the number of plaintext blocks m Output: a key stream S $S_1=E_K\left(T\right)$ for$i=2$tomdo       $S_i\leftarrow E_K(T+i-1)$ endfor return$S=S_1\left|\right|\cdots \left|\right|S_m$

6. GCM-SIV1.5

6.1. Specific Description of GCM-SIV1.5

Both GCM-SIV1 and GCM-SIV2 are nonce-based authenticated encryption with associated data modes by combining a PRF and an ivE scheme. GCM-SIV1 enjoys birthday-bound security up to almost $2^{n/2}$ adversarial queries by using an n-bit authentication tag. GCM-SIV2 utilizes two instances of GCM-SIV1 to achieve beyond-birthday-bound (BBB) security by increasing the number of keys, authentication tags, and block ciphers. However, these methods greatly affect the implementation cost and operation efficiency of cryptographic algorithms. In real life, cryptographic algorithms that provide BBB security, as low as possible hardware and software implementation costs, and high enough operational efficiencies are much more desirable.

Given an $ϵ$-AXU-hash function $H:{\mathcal{K}}_H\times \mathcal{N}\times \mathcal{H}\times \mathcal{M}\to {\{0,1\}}^n$ and a block cipher $E:{\mathcal{K}}_E\times {\{0,1\}}^n\to {\{0,1\}}^n$, where ${\mathcal{K}}_H$ and ${\mathcal{K}}_E$ are two non-empty sets of keys, and n is the block-size, we construct a new two-pass parallelizable nAE mode, GCM-SIV1.5. GCM-SIV1.5 is an optimal tradeoff between GCM-SIV1 and GCM-SIV2 for supporting BBB security with graceful degradation, as low as possible hardware and software implementation costs, and high enough operational efficiencies in nonce-faulty settings. We introduce a sum of permutation (SoP) construction to encryption and authentication parts of GCM-SIV1.5, which makes GCM-SIV1.5 BBB-secure. The authentication part of GCM-SIV1.5 is generated by $F_{B_2}^{SoP}$, which ensures BBB security. The encryption part of GCM-SIV1.5 is generated by $CT{R}^{SoP}$ with an initial vector and a nonce, which ensures BBB security.

The overview of GCM-SIV1.5 is illustrated in Figure 1.

GCM-SIV1.5 consists of a key generation algorithm $\mathcal{KG}$, an encryption algorithm $\mathcal{E}$, and a decryption algorithm $\mathcal{D}$. The key generation algorithm $\mathcal{KG}$ takes a key parameter k as the input and returns a key $K=(K_1,K_2,L)$ (two encryption keys $K_1,K_2$ and a hash key L) from an entropy pool of a set of keys $\mathcal{K}=({\mathcal{K}}_E,{\mathcal{K}}_E,{\mathcal{K}}_H)={\{0,1\}}^k$. The encryption algorithm $\mathcal{E}$ takes a key $K=(K_1,K_2,L)$, a nonce N, associated data A, and a plaintext M as the input, invokes the tag generation algorithm $F_{B_2}^{SoP}$ and CTR with the SoP algorithm $CT{R}^{SoP}$, and outputs the corresponding ciphertext and authentication tag $(C,T)={\mathcal{E}}_K(N,A,M)$. The decryption algorithm $\mathcal{D}$ takes a key $K=(K_1,K_2,L)$, a nonce N, associated data A, a ciphertext C, and an authentication tag T as the input, invokes the tag generation algorithm $F_{B_2}^{SoP}$ and CTR with the SoP algorithm $CT{R}^{SoP}$, and outputs the corresponding plaintext M or a reject symbol ⊥, i.e., $M/\perp ={\mathcal{D}}_K(N,A,C,T)$. The key generation, encryption, and decryption algorithms are described in Algorithms 6–8. The tag generation algorithm $F_{B_2}^{SoP}$ and CTR with the SoP algorithm $CT{R}^{SoP}$ are described in Algorithms 9 and 10.

Algorithm 6 The key generation algorithm: $\mathcal{KG}$

Input: a key parameter k Output: a key $K=(K_1,K_2,L)$ $(K_1,K_2,L)\stackrel{\$}{\leftarrow }\mathcal{K}=({\mathcal{K}}_E,{\mathcal{K}}_E,{\mathcal{K}}_H)$ return$K=(K_1,K_2,L)$

Algorithm 7 The encryption algorithm: $\mathcal{E}$

Input: a key $K=(K_1,K_2,L)$, a nonce N, associated data A, and a plaintext M Output: a ciphertext C and a tag T Partition M into $M_1\parallel \cdots \parallel M_m$, $|M_i|=n,1\le i\le m-1,0<|M_m|\le n$ $T=F_{B_2}^{SoP}(K,N,A,M)$ $S=CT{R}_{K_1,K_2}^{SoP}(N,T,m)$ $C=M\oplus ms{b}_{\left|M\right|}\left(S\right)$ return$(C,T)$

Algorithm 8 The decryption algorithm: $\mathcal{D}$

Input: a key $K=(K_1,K_2,L)$, a nonce N, associated data A, a ciphertext C, and a tag T Output: a plaintext M or ⊥ Partition C into $C_1\parallel C_2\parallel \cdots \parallel C_m$, $|C_i|=n,1\le i\le m-1,0<|C_m|\le n$ $S=CT{R}_{K_1,K_2}^{SoP}(N,T,m)$ $M=C\oplus ms{b}_{\left|C\right|}\left(S\right)$ $T^{\prime }=F_{B_2}^{SoP}(K,N,A,M)$ if$T^{\prime }=T$, returnM else return⊥ (INVALID) endif

Algorithm 9 The tag generation algorithm: $F_{B_2}^{SoP}(K,N,A,M)$

Input: a key $K=(K_1,K_2,L)$, a nonce N, associated data A, and a plaintext M Output: a tag T $V=H_L(N,A,M)=GHAS{H}_L(A,M)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $T=E_{K_1}\left(V\right)\oplus E_{K_2}{\left(N\right||\left[0\right]}_{\frac{n}{4}})$ returnT

Algorithm 10 CTR with SoP algorithm: $CT{R}_{K_1,K_2}^{SoP}(N,T,m)$

Input: a key $K=(K_1,K_2)$, a nonce N, an initial vector T, and the number of plaintext blocks m Output: a key stream S for$1\le i\le m$      $S_i=E_{K_1}(T+i)\oplus E_{K_2}{\left(N\right||\left[i\right]}_{\frac{n}{4}})$ endfor return$S=S_1\left|\right|\cdots \left|\right|S_m$

6.2. Security of GCM-SIV1.5

We present the information-theoretic security of GCM-SIV1.5 under the assumption that the underlying block cipher is a secure pseudorandom permutation.

GCM-SIV1.5 is an N3 type nAE scheme (and it can also be seen as an A7 type nAE scheme); therefore, it can be decomposed into a PRF $\mathbf{F}$ and an nE scheme $\mathbf{E}$, where $\mathbf{F}:{\mathcal{K}}_{\mathbf{F}}\times \mathcal{N}\times \mathcal{H}\times \mathcal{M}\to \mathcal{T}$, $\mathbf{E}:{\mathcal{K}}_{\mathbf{E}}\times \mathcal{N}\times \mathcal{T}\times \mathcal{M}\to \mathcal{C}$, ${\mathcal{K}}_{\mathbf{F}}={\mathcal{K}}_H\times {\mathcal{K}}_E\times {\mathcal{K}}_E=\mathcal{K}$, and ${\mathcal{K}}_{\mathbf{E}}={\mathcal{K}}_E\times {\mathcal{K}}_E$.

$\mathbf{F}$ takes a key $K_{\mathbf{F}}=(L,K_1,K_2)\in {\mathcal{K}}_{\mathbf{F}}$, a nonce $N\in \mathcal{N}$, associated data $A\in \mathcal{H}$, and a message $M\in \mathcal{M}$ as the input and returns an authentication tag $T=\mathbf{F}(K_{\mathbf{F}},N,A,M)=F_{B_2}^{SoP}(K,N,A,M)$. $\mathbf{E}$ takes the key $K_{\mathbf{E}}=(K_1,K_2)\in {\mathcal{K}}_{\mathbf{E}}$, the nonce $N\in \mathcal{N}$, the authentication tag $T\in \mathcal{T}$, and the message $M\in \mathcal{M}$ as the input, computes a key-stream $S=CT{R}_{K_{\mathbf{E}}}^{SoP}(N,T,m)$, and then encrypts M to return the corresponding ciphertext $C=\mathbf{E}(K_{\mathbf{E}},N,T,M)=M\oplus ms{b}_{\left|M\right|}\left(S\right)$.

According to Lemma 4, the nAE security of GCM-SIV1.5 can be decomposed into the PRF security of $\mathbf{F}$ and the nE security of $\mathbf{E}$. Therefore, we have the following lemmas.

Lemma 5.

Let $\mathcal{A}$ be an μ-fault adversary and $H_L$ be ϵ-AXU. Let $\mu \le q^{\frac{1}{3}}$. If $\mathcal{A}$ makes at most $q\le 2^{3n/4}$ queries, then there exist adversaries ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ with the same query complexity against the block cipher E such that

$$\begin{array}{cc}\hfill Ad{v}_{\mathit{F}}^{prf}\left(\mathcal{A}\right)\le & Ad{v}_E^{prp}\left({\mathcal{A}}_1\right)+Ad{v}_E^{prp}\left({\mathcal{A}}_2\right)+\frac{{\mu }^2}{2^n}+{\mu }^2ϵ+\frac{q^2ϵ}{2^n}\hfill \\ \hfill & +4{\mu }^2ϵ+\frac{3\mu q^{3/2}ϵ}{2^{n/2}}+q^{4/3}ϵ+\frac{18q^{4/3}}{2^n}+\frac{6q^{8/3}}{2^{2n}}\hfill \\ \hfill & +\frac{18q^{7/3}}{2^{2n}}+\frac{q^2}{2^{2n}}+\frac{8q^4}{3·2^{3n}}.\hfill \end{array}$$

Lemma 6.

Let $\mathcal{A}$ be an μ-fault adversary that makes at most $q\le 2^{3n/4}$ queries and generates at most σ blocks, and let $\mu \le q^{\frac{1}{3}}$ and m be the maximum block of the plaintext; then, there exist adversaries ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ with the same query complexity against the block cipher E such that

$$\begin{array}{cc}\hfill Ad{v}_{\mathit{E}}^{nE}\left(\mathcal{A}\right)\le & Ad{v}_E^{prp}\left({\mathcal{A}}_1\right)+Ad{v}_E^{prp}\left({\mathcal{A}}_2\right)+\frac{6m{\mu }^2}{2^n}\hfill \\ \hfill & +\frac{{\sigma }^2}{2^{2n}}+\frac{3\mu \sigma }{2^n}\sqrt{\frac{\sigma }{2^n}}+\frac{19{\sigma }^{\frac{4}{3}}}{2^n}+\frac{6{\sigma }^{\frac{8}{3}}}{2^{2n}}+\frac{18{\sigma }^{\frac{7}{3}}}{2^{2n}}\hfill \\ \hfill & +\frac{{\sigma }^2}{2^{2n}}+\frac{8{\sigma }^4}{3·2^{3n}}.\hfill \end{array}$$

The security proof of Lemma 5 is the same as that of Theorem 4 in the study by Chen et al. [27]. The security proof of Lemma 6 is shown in Section 7.

By combining Lemmas 4–6, we present the security of GCM-SIV1.5 as follows.

Theorem 1.

Let $\mathcal{A}$ be an μ-fault adversary and $H_L$ be ϵ-AXU. Let $\mu \le q^{\frac{1}{3}}$ and m be the maximum block of the plaintext. If $\mathcal{A}$ makes at most $q\le 2^{3n/4}$ queries and generates at most σ blocks, then there exist adversaries ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ with the same query complexity against the block cipher E such that

$$\begin{array}{cc}\hfill Ad{v}_{GCM-SIV1.5}^{nAE}\left(\mathcal{A}\right)\le & Ad{v}_E^{prp}\left({\mathcal{A}}_1\right)+Ad{v}_E^{prp}\left({\mathcal{A}}_2\right)+\frac{10m{\mu }^2}{2^n}\hfill \\ \hfill & +\frac{3q\mu ϵ}{2^n}+\frac{q^2ϵ}{2^n}+5{\mu }^2ϵ+q^{\frac{4}{3}}ϵ\hfill \\ \hfill & +\frac{(3\mu +2)\sigma }{2^n}+\frac{46{\sigma }^{\frac{4}{3}}}{2^n}+\frac{q_v}{2^n}.\hfill \end{array}$$

Theorem 1 shows that, if the underlying block cipher E is a secure PRP and $ϵ=2^{-n}$, GCM-SIV1.5 offers BBB nAE security up to approximately $\frac{3n}{4}$-bit query complexity and approximately n-bit forgery attempts for $\mu$-nonce faulty adversaries with $\mu \le 2^{\frac{n}{4}}$.

7. Proofs of Lemma 6

The proof is similar to that of Theorem 4 in Chen et al. [27]. Let $K_1,K_2\twoheadleftarrow {\mathcal{K}}_E$. The adversary $\mathcal{A}$ makes q encryption queries $(N^1,T^1,m^1),\cdots ,(N^q,T^q,m^q)$ to the real world $\mathbf{E}$ or the ideal world R (R is an ideal version of $\mathbf{E}$ and always random strings) and returns $S^1,S^2,\cdots ,S^q$, and then encrypts plaintexts $M^1,\cdots ,M^q$ to obtain ciphertexts $C^1=M^1\oplus ms{b}_{|M^1|}\left(S^1\right),\cdots ,$$C^q=M^q\oplus ms{b}_{|M^q|}\left(S^q\right)$. First, we replace $E_{K_1}$ and $E_{K_2}$ with two independent random permutations $P_1$ and $P_2$, and the replacements cost us $Ad{v}_E^{prp}\left({\mathcal{A}}_1\right)+Ad{v}_E^{prp}\left({\mathcal{A}}_2\right)$, where ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ are PRP adversaries against the underlying block cipher. Then, we consider $Ad{v}_{\mathbf{E}[P_1,P_2]}^{nE}\left(\mathcal{A}\right)$. Let $\tau =\{(N^1,T^1,m^1,S^1),\cdots ,(N^q,T^q,m^q,S^q)\}$. Let $X_{re}$ be the random variable interacting with the real world $X=\mathbf{E}[P_1,P_2]$ and $Y_{id}$ be the random variable interacting with the ideal world $Y=R$.

For the real world, the transcript with q queries corresponds to the following mirror system of bi-variate equations:

$$\begin{array}{c}\hfill {\mathcal{E}}^{=}\left\{\begin{array}{cc}\hfill & P_1(T^1+1)\oplus P_2(N^1\left|\right|{\left[1\right]}_{\frac{n}{4}})=S_1^1\hfill \\ \hfill & P_1(T^1+2)\oplus P_2(N^1\left|\right|{\left[2\right]}_{\frac{n}{4}})=S_2^1\hfill \\ \hfill & \cdots \cdots \cdots \cdots \cdots \hfill \\ \hfill & P_1(T^1+m^1)\oplus P_2(N^1\left|\right|{\left[m^1\right]}_{\frac{n}{4}})=S_{m^1}^1\hfill \\ \hfill & \cdots \cdots \cdots \cdots \cdots \hfill \\ \hfill & P_1(T^q+1)\oplus P_2(N^q\left|\right|{\left[1\right]}_{\frac{n}{4}})=S_1^q\hfill \\ \hfill & P_1(T^q+2)\oplus P_2(N^q\left|\right|{\left[2\right]}_{\frac{n}{4}})=S_2^q\hfill \\ \hfill & \cdots \cdots \cdots \cdots \cdots \hfill \\ \hfill & P_1(T^q+m^q)\oplus P_2(N^q\left|\right|{\left[m^q\right]}_{\frac{n}{4}})=S_{m^q}^q\hfill \end{array}\right.\end{array}$$

As $P_1,P_2$ are two independent random permutations, let $X_{i,j}=P_1(T^i+j)$, $Y_{i,j}=P_2(N^i{\left|\right|\left[j\right]}_{\frac{n}{4}})$, and ${\lambda }_{i,j}=S_j^i$, where $j\in \left[m^i\right],i\in \left[q\right]$. Let $\sigma ={\sum }_{i=1}^q{m}^i$.

Let $V_1$ be the set of vertices $X_{1,1},\cdots ,X_{q,m^q}$, $V_2$ be the set of vertices $Y_{1,1},\cdots ,Y_{q,m^q}$, $E=\{e_{i,j}=(X_{i,j},Y_{i,j}),j\in \left[m^i\right],i\in \left[q\right]\}$, and $W:E\to {\{0,1\}}^n$. The above mirror system $\{X_{i,j}\oplus Y_{i,j}={\lambda }_{i,j},j\in \left[m^i\right],i\in \left[q\right]\}$ with a transcript $\tau$ can be described as an undirected weighted bipartite graph $G^{\tau }=<V_1,V_2,E,W>$. As T is random, there exist collisions in $X_{i,j}=P_1(T^i+j)$ for any $j\in \left[m^i\right],i\in \left[q\right]$. Let m be the maximum block of the plaintext. According to the fact that the nonce is $\mu$-fault, $V_2$ is $\mu ·m$-fault.

In order to utilize the mirror theory, we first define a bad transcript.

Definition 1

(Bad Transcript). A transcript τ is called bad if one of the following events occurs:

• $G^{\tau }$ covers a circle of length 2 or a path of length 2 such that the weight of this path is zero.

  –

  B1: There exist distinct $i,k\in \left[q\right]$ such that $X_{i,j}=X_{k,l}$ and $Y_{i,j}=Y_{k,l}$, where $j\in \left[m^i\right],l\in \left[m^k\right]$, i.e., $T^i+j=T^k+l$ and $N^i{\left|\right|\left[j\right]}_{\frac{n}{4}}=N^k\left|\right|{\left[l\right]}_{\frac{n}{4}}$ (it implies $j=l$).

  –

  B2: There exist distinct $i,k\in \left[q\right]$ such that $X_{i,j}=X_{k,l}$ and ${\lambda }_{i,j}\oplus {\lambda }_{k,l}=0$, where $j\in \left[m^i\right],l\in \left[m^k\right]$, i.e., $T^i+j=T^k+l$ and $S_j^i\oplus S_l^k=0$.

  –

  B3: There exist distinct $i,k\in \left[q\right]$ such that $Y_{i,j}=Y_{k,l}$ and ${\lambda }_{i,j}\oplus {\lambda }_{k,l}=0$, where $j\in \left[m^i\right],l\in \left[m^k\right]$, i.e., $N^i{\left|\right|\left[j\right]}_{\frac{n}{4}}=N^k\left|\right|{\left[l\right]}_{\frac{n}{4}}$ (it implies $j=l$) and $S_j^i\oplus S_l^k=0$.

• $G^{\tau }$ covers a path of length 4 starting at the Y-shore, or a path of length 4 starting at the X-shore such that the weight of this path is zero (this condition satisfies the fact that $G^{\tau }$ covers a circle of length 4 or a path of length 4 such that the weight of this path is zero).

  –

  B4: There exist distinct $i,k,w,y\in \left[q\right]$ such that $Y_{i,j}=Y_{k,l}$, $X_{k,l}=X_{w,x}$, and $Y_{w,x}=Y_{y,z}$, i.e., $N^i{\left|\right|\left[j\right]}_{\frac{n}{4}}=N^k\left|\right|{\left[l\right]}_{\frac{n}{4}}$, $T^k+l=T^w+x$, and $N^w{\left|\right|\left[x\right]}_{\frac{n}{4}}=N^y\left|\right|{\left[z\right]}_{\frac{n}{4}}$ (it implies $j=l,x=z$).

  –

  B5: There exist distinct $i,k,w,y\in \left[q\right]$ such that $X_{i,j}=X_{k,l}$, $Y_{k,l}=Y_{w,x}$, $X_{w,x}=X_{y,z}$, and ${\lambda }_{i,j}\oplus {\lambda }_{k,l}\oplus {\lambda }_{w,x}\oplus {\lambda }_{y,z}=0$, i.e., $T^i+j=T^k+l$, $N^k{\left|\right|\left[l\right]}_{\frac{n}{4}}=N^w\left|\right|{\left[x\right]}_{\frac{n}{4}}$, $T^w+x=T^y+z$, and ${\lambda }_{i,j}\oplus {\lambda }_{k,l}\oplus {\lambda }_{w,x}\oplus {\lambda }_{y,z}=0$ (it implies $l=x$).

• The number of edges in components with a size of more than 2 is $q_c\ge {\tilde{q}}_c$. Each vertex in the components is associated with two edges in the average case. Let us assume that it may be evenly amortized to the two vertex sets of the bipartite graph.

  –

  B6: $|\left\{(i,k)\right|i\ne k,j\in \left[m^i\right],l\in \left[m^k\right],X_{i,j}=X_{k,l}\}|\ge {\tilde{q}}_c/4$, i.e, $\left|\right\{(i,k)|i\ne k,$$j\in \left[m^i\right],l\in \left[m^k\right],T^i+j=T^k+l\left\}\right|\ge {\tilde{q}}_c/4$.

  –

  B7: $\left|\right\{(i,k)|i\ne k,j\in \left[m^i\right],l\in \left[m^k\right],Y_{i,j}=Y_{k,l}|\ge {\tilde{q}}_c/4$, i.e, $\left|\right\{(i,k)|i\ne k,$$N^i=N^k\left\}\right|\ge {\tilde{q}}_c/4$.

Let ${\mathsf{\Gamma }}_{bad}$ be bad transcripts, Γ be all attainable transcripts, and ${\mathsf{\Gamma }}_{good}=\mathsf{\Gamma }\setminus {\mathsf{\Gamma }}_{bad}$.

Next, we upper bound the probability of bad transcripts in the ideal world $Pr[Y_{id}\in {\mathsf{\Gamma }}_{bad}]$.

For B1, the probability that $T^i+j=T^k+l$ occurs for any fixed $i,j,k,l$ is $2^{-n}$, and the number of pairs $(i,k)$ such that $N^i{\left|\right|\left[j\right]}_{\frac{n}{4}}=N^k\left|\right|{\left[l\right]}_{\frac{n}{4}}$ is at most ${\mu }^2$, where $j\in \left[m^i\right],l\in \left[m^k\right]$; then, we have

$$\begin{array}{cc}\hfill Pr\left[\mathbf{B}\mathbf{1}\right]& =Pr[X_{i,j}=X_{k,l},Y_{i,j}=Y_{k,l}]\hfill \\ \hfill & =Pr[T^i+j=T^k+l,N^i||{\left[j\right]}_{\frac{n}{4}}=N^k|\left|{\left[l\right]}_{\frac{n}{4}}\right]\hfill \\ \hfill & \le \frac{m{\mu }^2}{2^n}.\hfill \end{array}$$

For B2, the probability that $T^i+j=T^k+l$ occurs for any fixed $i,j,k,l$ is $2^{-n}$, and the probability that $S_j^i\oplus S_l^k=0$ occurs for any fixed $i,j,k,l$ is $2^{-n}$; then, we have

$$\begin{array}{cc}\hfill Pr\left[\mathbf{B}\mathbf{2}\right]& =Pr[X_{i,j}=X_{k,l},{\lambda }_{i,j}\oplus {\lambda }_{k,l}=0]\hfill \\ \hfill & =Pr[T^i+j=T^k+l,S_j^i\oplus S_l^k=0]\hfill \\ \hfill & \le \frac{{\sigma }^2}{2^{2n}}.\hfill \end{array}$$

For B3, the probability that $S_j^i\oplus S_l^k=0$ occurs for any fixed $i,j,k,l$ is $2^{-n}$, and the number of pairs $(i,k)$ such that $N^i{\left|\right|\left[j\right]}_{\frac{n}{4}}=N^k\left|\right|{\left[l\right]}_{\frac{n}{4}}$ is at most ${\mu }^2$, where $j\in \left[m^i\right],l\in \left[m^k\right]$; then, we have

$$\begin{array}{cc}\hfill Pr\left[\mathbf{B}\mathbf{3}\right]& =Pr[Y_{i,j}=Y_{k,l},{\lambda }_{i,j}\oplus {\lambda }_{k,l}=0]\hfill \\ \hfill & =Pr\left[N^i\right||{\left[j\right]}_{\frac{n}{4}}=N^k||{\left[l\right]}_{\frac{n}{4}},S_j^i\oplus S_l^k=0]\hfill \\ \hfill & \le \frac{m{\mu }^2}{2^n}.\hfill \end{array}$$

For B4, the probability that $T^k+l=T^w+x$ occurs for any fixed $k,l,w,x$ is $2^{-n}$ and the number of pairs $(i,k,w,y)$ such that $N^i{\left|\right|\left[j\right]}_{\frac{n}{4}}=N^k\left|\right|{\left[l\right]}_{\frac{n}{4}}$ and $N^w{\left|\right|\left[x\right]}_{\frac{n}{4}}=N^y\left|\right|{\left[z\right]}_{\frac{n}{4}}$ for any fixed $i\ne k,w\ne y$ is at most $4{\mu }^2$ (as the number of queries using any repeated nonce is at most $2\mu$); then, we have

$$\begin{array}{cc}\hfill Pr\left[\mathbf{B}\mathbf{4}\right]=& Pr[Y_{i,j}=Y_{k,l},X_{k,l}=X_{w,x},Y_{w,x}=Y_{y,z}]\hfill \\ \hfill \le & \frac{4m{\mu }^2}{2^n}.\hfill \end{array}$$

For B5, let $F_{i,j,k,l,w,x,y,z}:{\lambda }_{i,j}\oplus {\lambda }_{k,l}\oplus {\lambda }_{w,x}\oplus {\lambda }_{y,z}=0$, the probability that $E_{i,j,k,l}:T^i+j=T^k+l$ occurs for any fixed $i,j,k,l$ be $2^{-n}$ (the same for $E_{w,x,y,z}:T^w+x=T^y+z$), and the probability that $F_{i,j,k,l,w,x,y,z}$ occurs for any fixed $i,j,k,l,w,x,y,z$ be $2^{-n}$. According to alternating event lemma and $\sigma =mq$, we have

$$\begin{array}{cc}\hfill Pr\left[\mathbf{B}\mathbf{5}\right]=& Pr[E_{i,j,k,l},Y_{k,l}=Y_{w,x},E_{w,x,y,z},F_{i,j,k,l,w,x,y,z}]\hfill \\ \hfill \le & \frac{3\mu \sigma }{2^n}\sqrt{\frac{\sigma }{2^n}}.\hfill \end{array}$$

For B6, according to Markov’s inequality, the probability of B6 is upper bounded by

$$\begin{array}{cc}\hfill Pr\left[\mathbf{B}\mathbf{6}\right]& =Pr\left[\right|\left\{(i,k)\right|i\ne k,j\in \left[m^i\right],l\in \left[m^k\right],X_{i,j}=X_{k,l}\}|\ge {\tilde{q}}_c/4]\hfill \\ \hfill & \le \frac{\mathbb{E}\left[\right|\left\{(i,k)\right|i\ne k,j\in \left[m^i\right],l\in \left[m^k\right],X_{i,j}=X_{k,l}\}|\ge {\tilde{q}}_c/4]}{{\tilde{q}}_c/4}\hfill \\ \hfill & \le \frac{\frac{{\sigma }^2}{2^n}}{{\tilde{q}}_c/4}\le \frac{4{\sigma }^2}{{\tilde{q}}_c·2^n}.\hfill \end{array}$$

In order to obtain $\frac{3n}{4}$-bit security, we choose ${\tilde{q}}_c=4{\sigma }^{\frac{2}{3}}$. Then,

$$\begin{array}{c}\hfill Pr\left[\mathbf{B}\mathbf{6}\right]\le \frac{4{\sigma }^2}{{\tilde{q}}_c·2^n}=\frac{{\sigma }^{\frac{4}{3}}}{2^n}.\end{array}$$

For B7, as ${\mu }^2<q^{\frac{2}{3}}\le {\sigma }^{\frac{2}{3}}={\tilde{q}}_c/4$, the probability of B7 being upper bounded by

$$\begin{array}{cc}\hfill Pr\left[\mathbf{B}\mathbf{7}\right]& =Pr\left[\right|\left\{(i,k)\right|i\ne k,j\in \left[m^i\right],l\in \left[m^k\right],Y_{i,j}=Y_{k,l}|\ge {\tilde{q}}_c/4]\hfill \\ \hfill & =Pr[{\mu }^2\ge {\tilde{q}}_c/4]=0.\hfill \end{array}$$

To summarize, the probability of bad transcripts is

$$\begin{array}{cc}\hfill Pr[Y_{id}\in {\mathsf{\Gamma }}_{bad}]& =Pr\left[\bigcup _{i=1}^7\mathbf{Bi}\right]\hfill \\ \hfill & \le \frac{6m{\mu }^2}{2^n}+\frac{{\sigma }^2}{2^{2n}}+\frac{3\mu \sigma }{2^n}\sqrt{\frac{\sigma }{2^n}}+\frac{{\sigma }^{\frac{4}{3}}}{2^n}.\hfill \end{array}$$

Then, we consider the ratio $\frac{Pr[X=\tau ]}{Pr[Y=\tau ]}$ between the real world X and the ideal world Y in the good transcript. In the good transcript, $G^{\tau }$ meets (1) acyclic, (2) NPL, and (3) $q_c\le {\tilde{q}}_c=4{\sigma }^{\frac{2}{3}}$. Let $q^{\prime }=\left|V_1\right|$ and $q^{″}=\left|V_2\right|$; according to the mirror theory, the number of solutions is at least $\frac{{\left(2^n\right)}_{q^{\prime }}{\left(2^n\right)}_{q^{″}}}{2^{n\sigma }}(1-\delta )$, where

$$\begin{array}{cc}\hfill \delta =& \frac{9{\tilde{q}}_c^2}{8·2^n}+\frac{9{\tilde{q}}_c^2\sigma +12{\tilde{q}}_c{\sigma }^2+8{\sigma }^2}{8·2^{2n}}+\frac{8{\sigma }^4}{3·2^{3n}}\hfill \\ \hfill & =\frac{18{\sigma }^{\frac{4}{3}}}{2^n}+\frac{18{\sigma }^{\frac{7}{3}}+6{\sigma }^{\frac{8}{3}}+{\sigma }^2}{2^{2n}}+\frac{8{\sigma }^4}{3·2^{3n}}.\hfill \end{array}$$

In the real world X, we have

$$\begin{array}{cc}\hfill Pr[X=\tau ]& =Pr[P_1,P_2\in Perm\left(n\right):\mathbf{E}[P_1,P_2]⊢\tau ]\hfill \\ \hfill & =\frac{|P_1,P_2\in Perm\left(n\right):\mathbf{E}[P_1,P_2]⊢\tau |}{{\left|Perm\left(n\right)\right|}^2}\hfill \\ \hfill & \ge \frac{\frac{{\left(2^n\right)}_{q^{\prime }}{\left(2^n\right)}_{q^{″}}}{2^{n\sigma }}(1-\delta )(2^n-q^{\prime })!(2^n-q^{″})!}{{(2^n!)}^2}\hfill \\ \hfill & =\frac{1}{2^{n\sigma }}(1-\delta ).\hfill \end{array}$$

In the ideal world Y, we have

$$\begin{array}{c}\hfill Pr[Y=\tau ]=Pr[R\in Func(2n,\ast ):R⊢\tau ]=\frac{1}{2^{n\sigma }}.\end{array}$$

Therefore, the ratio between $Pr[X=\tau ]$ and $Pr[Y=\tau ]$ is

$$\begin{array}{c}\hfill \frac{Pr[X=\tau ]}{Pr[Y=\tau ]}\ge 1-\delta .\end{array}$$

According to the H-coefficient technique, we have

$$\begin{array}{cc}\hfill Ad{v}_{\mathbf{E}}^{nE}\left(\mathcal{A}\right)\le & Ad{v}_E^{prp}\left({\mathcal{A}}_1\right)+Ad{v}_E^{prp}\left({\mathcal{A}}_2\right)+\frac{6m{\mu }^2}{2^n}\hfill \\ \hfill & +\frac{{\sigma }^2}{2^{2n}}+\frac{3\mu \sigma }{2^n}\sqrt{\frac{\sigma }{2^n}}+\frac{19{\sigma }^{\frac{4}{3}}}{2^n}+\frac{6{\sigma }^{\frac{8}{3}}}{2^{2n}}+\frac{18{\sigma }^{\frac{7}{3}}}{2^{2n}}\hfill \\ \hfill & +\frac{{\sigma }^2}{2^{2n}}+\frac{8{\sigma }^4}{3·2^{3n}}.\hfill \end{array}$$

So far, we have completed the proof of Lemma 6.

8. Discussions and Conclusions

GCM-SIV1.5 is one of the favored generic nAE constructions described in [36], which combines a PRF $\mathbf{F}$ and an nE or ivE scheme $\mathbf{E}$. Here, the PRF $\mathbf{F}$ is a BBB-secure $F_{B2}^{SoP}$ scheme and the nE scheme $\mathbf{E}$ is a BBB-secure $CT{R}^{SoP}$ scheme.

GCM-SIV1.5 offers an optimal tradeoff to GCM-SIV1 and GCM-SIV2 for supporting BBB security, as low as possible implementation costs, and high enough operational efficiencies. From the perspective of the security strength, if the underlying block cipher E is a secure PRP and $ϵ=2^{-n}$, GCM-SIV1.5 offers approximately $3n/4$-bit nAE security for $\mu$-fault nonce-misusing adversaries and supports graceful security degradation, which is better than those of GCM-SIV1 and GCM-SIV2. From the perspective of implementation costs, compared with GCM-SIV2 and GCM-SIVr, GCM-SIV1.5 utilizes fewer keys (just two block cipher keys and a hash key) and lower storage and communication costs or throughput (just n-bit authentication tag). From the perspective of operational efficiencies, GCM-SIV1.5 utilizes just a hash function call and two plaintext blocks calls. More importantly, all encryption operations involving the nonce can be carried out offline, which saves half of the online computing resources. To sum up, our design achieves the optimal tradeoff to GCM-SIV and GCM-SIVr from the security strength, implementation costs, and software performance aspects.

In order to further demonstrate the superiority of our design, Table 1 shows a fair and thorough comparison between GCM-SIV1.5 and other similar schemes. Compared with CWC+, GCM-SIV1.5 provides a better security bound and supports fully faulty nonce misuse resistance, but the number of the encryption keys and the number of the block cipher calls are slightly inferior. Compared with SCM, GCM-SIV1.5 saves an encryption key, supports offline operations involving the nonce’s encryption, and saves half of the online computing resources, but other aspects, such as the number of block cipher calls, nonce size, and security bound, are slightly inferior. Besides that, SCM utilizes the finite field multiplication operations in the encryption part, although these multiplication operations can be quickly calculated using the double point technique. However, our design just utilizes some XOR and finite field addition operations.

GCM-SIV1.5 utilizes three keys. A natural future direction is to reduce the number of keys and to obtain a single-key BBB-secure variant. Besides that, GCM-SIV1.5 utilizes two plaintext blocks calls. Another future direction is to decrease the invocations of block ciphers and to improve the operational efficiencies. Our security is based on the condition that $\mu \le 2^{n/4}$. We leave considering the case of $\mu >2^{n/4}$ as an open problem.