GCM Variants with Robust Initialization Vectors

Abstract

The complexity and isomerization of communication networks have put forth new requirements for cryptographic schemes to ensure the operation of network security protocols. Robust cryptographic schemes have been gradually favored. The robust initialization vector (RIV) instead of the synthetic initialization vector (SIV) was first introduced to support strong security and robust authenticated encryption. This paper first introduces RIV to GCM-SIV1, proposes a robust variant, GCM-RIV1, and proves that it ensures birthday-bound subtle AE (SAE) security and nonce-misuse resistance. Then, to support beyond-birthday-bound (BBB) security with graceful degradation, we introduce another, stronger security variant, GCM-RIV2, and prove that it allows gracefully degrading BBB SAE security in the faulty nonce setting. Finally, the performance of GCM-RIV1 and GCM-RIV2 is discussed and compared.

1. Introduction

With the development of cloud-end convergence networks, the industrial Internet, and the Internet of Things, the security of critical infrastructure and protocols on the network has become more and more important. As a high-speed lightweight authenticated encryption (AE) scheme or protocol, Galois/Counter Mode (GCM) plays an important role in network security communication. GCM is a commonly used AE mode based on symmetric-key cryptography and included in the NIST and IETF standards, and it has been widely used in cloud computing, the Internet of Things, network communication protocols, and other fields [1,2,3]. For example, the well-known transport layer security protocol TLS1.2 uses AES-GCM [3]. However, with the complexity, diversity, and heterogeneity of communication networks, more robust and resilient cryptographic schemes have attracted people’s attention.

Most AE schemes including GCM are nonce-based AE (nAE) schemes and they have proven security in the nonce-respecting setting (the nonce used in the encryption algorithm is distinct). In real life, however, the nonce is often reused. If the nonce is reused, the security of nonce-respecting AE (NRAE) schemes represented by GCM will be broken. To settle this problem, Rogaway and Shrimpton introduced the nonce-misuse-resistant AE (MRAE) notion and proposed the first MRAE construction, called the synthetic initialization vector (SIV) [4]. SIV is roughly as efficient as the general two-pass AE modes (such as CCM), but more resilient to nonce misuse [4]. A large number of MRAE designs followed, such as HBS [5], BTM [6], MR-OMD [7], GCM-SIV [8], AES-GCM-SIV [9], GCM-SIV1 [10], GCM-SIV2 [10], CCM-SIV [11], SAEF [12], and GIFT-COFB [13]. Later, Dutta et al. refined nonce misuse and introduced a faulty nonce notion to specify the degree of repeated nonce tolerance [14]. The faulty nonce notion covers nonce respecting and nonce misuse. For a $\mu$-faulty nonce, if $\mu =0$, it is expected to degenerate to nonce-respecting; if $\mu \ge 1$, it is nonce-misuse. At ASIACRYPT 2021, Choi et al. introduced the faulty nonce to AE, presented a parallelizable nonce-based AE mode SCM, and proved its security with graceful degradation in the faulty nonce security model [15].

In addition to nonce misuse or a faulty nonce, Andreeva et al. proposed a new security model, releasing unverified plaintext (RUP), on the traditional nAE security model, to adapt to a new or side-channel environment in which plaintext information is released before verification [16]. There exist many RUP-secure AE schemes, such as COLM [17], OCB-IC [18], ChaCha20-Poly1305 [19], LOCUS [20], LOTUS [20], GCM-RUP [21], and SAEB [22].

Besides this, Hoang et al. built a robust AE (RAE) notion to adapt to the ciphertext expansion and then constructed a well-optimized AEZ mode [23]. Later, Badertscher et al. investigated RAE and gave formal descriptions for two additional features of RAE [24]. Shrimpton et al. introduced a protected IV (PIV) framework and gave encode-then-encipher over PIV AE with associated data schemes [25]. Barwell et al. introduced a subtle AE (SAE) security notion using an extra “leakage” algorithm on the basis of the traditional AE security model [26]. The SAE security covers RUP and RAE and is able to leak some information about the invalid plaintext. At FSE 2016, Abed et al. extended the SIV framework by adopting an additional pseudorandom function, introduced a robust initialization vector (RIV) framework for robust authenticated encryption, and proved that RIV supports SAE security [27]. RIV fully inherits the security guarantees of SIV, but, unlike SIV and other MRAE schemes, RIV is also provably secure under RUP and RAE. The robustness mentioned here is a gradient concept. RAE is the most robust version and the traditional AE is the most basic version. Aiming at various possible attacks or complex environments, robust AE schemes are designed to meet the corresponding needs to maintain the confidentiality and integrity of data.

Contributions. In order to adapt to the more complex network environment, the goal of this paper is to put forward robust variants on the basis of GCM and incorporate as many characteristics of robustness into our design scheme as possible. To enhance the robustness of GCM-SIV1, we propose its robust variant, called GCM-RIV1, by introducing RIV instead of SIV, and prove that GCM-RIV1 guarantees birthday-bound SAE security of $n/2$-bit and nonce-misuse resistance if the underlying block cipher uses secure pseudorandom permutation (PRP) and the hash function is XOR-universal, where n is the block size. Then, to support beyond-birthday-bound (BBB) security with graceful degradation and a nonce fault, we introduce another variant, GCM-RIV2, and prove that it not only enjoys approximately $3n/4$-bit BBB SAE security but also supports graceful security degradation. Besides this, GCM-RIV1 and GCM-RIV2 are inverse-free, which reduces the cost of block cipher decryption. Moreover, both of them are parallel and robust against the leakage of invalid plaintext. Finally, we present a comparison between our schemes and previous related schemes, which is shown in

Table 1. Comparison between our schemes and previous related schemes, where # represents the count, m represents the largest number of plaintext blocks, n is the block size, and NR (resp. NM, resp. NF) stands for the nonce-respecting setting (resp. the nonce-misuse setting, resp. the nonce-faulty setting).

Scheme	# Key	# Block Cipher	# Hash	Inverse Free	Reference
GCM	2	m	1	Yes	[1]
GCM-SIV1	2	$m+1$	1	Yes	[10]
GCM-SIV2	6	$2m+4$	2	Yes	[10]
GCM-RUP	4	$m+3$	2	No	[21]
GCM-RIV1	2	$m+2$	2	Yes	Section 4
GCM-RIV2	4	$2m+2$	2	Yes	Section 5
GCM	$n/2$-bit	-	-	nAE	Low
GCM-SIV1	$n/2$-bit	$n/2$-bit	-	nAE	Medium
GCM-SIV2	$2n/3$-bit	$2n/3$-bit	-	nAE	Medium
GCM-RUP	$n/2$-bit	$n/2$-bit	-	RUP	High
GCM-RIV1	$n/2$-bit	$n/2$-bit	$n/2$-bit	SAE	Higher
GCM-RIV2	$3n/4$-bit	$3n/4$-bit	$3n/4$-bit 1	SAE	Higher

¹ 3n/4-bit gracefully degradable as parameter μ increases.

.

The rest of the article is arranged as follows. Section 2 presents some basic preliminaries and related security models. Section 3 shows the extended mirror theory. Section 4 and Section 5 show our designs, GCM-RIV1 and GCM-RIV2, and derive their security proof, respectively. Finally, we conclude this paper in Section 6.

2. Preliminaries

Some symbols used in the paper are described in

Table 2. Descriptions of symbols.

Symbol	Description	Symbol	Description
$\mathcal{K}$	the key space	$\mathcal{N}$	the nonce space
$\mathcal{H}$	the associated data space	$\mathcal{M}$	the plaintext space
$\mathcal{C}$	the ciphertext space	$\mathcal{T}$	the authentication tag space
⊕	the bitwise XOR	+	the addition modulo $2^n$
·	the multiplication modulo $2^n$	$\left|\right|$	the concatenation of strings
${\{0,1\}}^{\ast }$	a set of all strings	${\{0,1\}}^n$	a set of n-bit strings
$Perm\left(n\right)$	an n-bit permutation set	↞	uniform random sampling
$Func(m,n)$	a set of all functions from m-bit inputs to n-bit outputs	${\mathcal{A}}^O=1$	an adversary $\mathcal{A}$ outputs 1 after interacting with the oracle O
$Pr\left[E\right]$	the probability of an event E	$\left[r\right]$	a set $\{1,2,\dots ,r\}$
⊤	a valid (success) symbol	⊥	a reject (failure) symbol
$msb$	the most significant bit	$lsb$	the least significant bit
$\left|X\right|$	the number of elements in set X	${\left(2^n\right)}_q$	$2^n·(2^n-1)\dots (2^n-q+1)$

.

Block Cipher. A block cipher is an important part of symmetric-key cryptography and has been widely used in real life, such as standardized block ciphers SM4 and AES. Its mathematical model can be expressed as $E:\mathcal{K}\times {\{0,1\}}^n\to {\{0,1\}}^n$. We describe its pseudorandom permutation (PRP) security model as follows.

Definition 1 

(PRP Advantage [27]). Let $\mathcal{A}$ be an adversary that has access to an encryption oracle E. Then, the PRP advantage of $\mathcal{A}$ against E is defined as

$$\begin{array}{c}\hfill Ad{v}_E^{PRP}\left(\mathcal{A}\right)=\mid Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{E_K}=1]-Pr[\pi \twoheadleftarrow Perm\left(n\right):{\mathcal{A}}^{\pi }=1]\mid .\end{array}$$

Keyed Function. Let $F:\mathcal{K}\times {\{0,1\}}^m\to {\{0,1\}}^n$ be a keyed function. We describe its pseudorandom function (PRF) security model as follows.

Definition 2 

(PRF Advantage [27]). Let $\mathcal{A}$ be an adversary that has access to the function oracle F. Then, the PRF advantage of $\mathcal{A}$ against F is defined as

$$\begin{array}{c}\hfill Ad{v}_F^{PRF}\left(\mathcal{A}\right)=\mid Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{F_K}=1]-Pr[\$\twoheadleftarrow Func(m,n):{\mathcal{A}}^{\$}=1]\mid .\end{array}$$

Nonce-Based Authenticated Encryption (nAE). An nAE with associated data scheme $\Pi =(\mathcal{E},\mathcal{D})$ consists of an encryption algorithm $\mathcal{E}:\mathcal{K}\times \mathcal{N}\times \mathcal{H}\times \mathcal{M}\to \mathcal{C}\times \mathcal{T}$ and a decryption algorithm $\mathcal{D}:\mathcal{K}\times \mathcal{N}\times \mathcal{H}\times \mathcal{C}\times \mathcal{T}\to \mathcal{M}\cup \{\perp \}$. The correctness means that $(C,T)={\mathcal{E}}_K(N,A,M)$ if and only if (iff) $M={\mathcal{D}}_K(N,A,C,T)$. For nAE schemes, the conventional security model includes IND-CPA and INT-CTXT, which are described as follows.

Definition 3 

(IND-CPA Advantage [27]). Let $\mathcal{A}$ be an adversary that has access to an encryption oracle $\mathcal{E}$. Then, the IND-CPA advantage of $\mathcal{A}$ against Π is defined as

$$\begin{array}{c}\hfill Ad{v}_{\Pi }^{IND-CPA}\left(\mathcal{A}\right)=\mid Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K}=1]-Pr[{\mathcal{A}}^{\$}=1]\mid \end{array}$$

where $ is the ideal version of ${\mathcal{E}}_K$.

Definition 4 

(INT-CTXT Advantage [27]). Let $\mathcal{A}$ be an adversary that has access to an encryption oracle $\mathcal{E}$ and a decryption oracle $\mathcal{D}$ but does not make repeated queries. Then, the INT-CTXT advantage of $\mathcal{A}$ against Π is defined as

$$\begin{array}{c}\hfill Ad{v}_{\Pi }^{INT-CTXT}\left(\mathcal{A}\right)=Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K}forges]\end{array}$$

where forge means that ${\mathcal{D}}_K$ returns anything other than ⊥ for any query of $\mathcal{A}$.

Later, Rogaway and Shrimpton introduced the all-in-one AE security notion [4], which is described as follows.

Definition 5 

(nAE Advantage [4,27]). Let $\mathcal{A}$ be an adversary that has access to an encryption oracle $\mathcal{E}$ and a decryption oracle $\mathcal{D}$ but does not make repeated queries. Then, the nAE advantage of $\mathcal{A}$ against Π is defined as

$$\begin{array}{c}\hfill Ad{v}_{\Pi }^{nAE}\left(\mathcal{A}\right)=\mid Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K}=1]-Pr[{\mathcal{A}}^{\$,\perp }=1]\mid \end{array}$$

where $ is the ideal version of ${\mathcal{E}}_K$ and ⊥ is a reject function that always returns a reject symbol.

The all-in-one AE security covered IND-CPA and INT-CTXT; the decomposition of nAE security is described as follows.

Lemma 1 

(Decomposition of nAE Security [26,27]). Let $\mathcal{A}$ be an adversary that runs in time at most t and asks at most q queries of at most σ blocks to its respective oracles. Then, there exist computationally bounded IND-CPA and INT-CTXT adversaries $\mathcal{B}$ and $\mathcal{C}$, respectively, on Π such that

$$\begin{array}{c}\hfill Ad{v}_{\Pi }^{nAE}\left(\mathcal{A}\right)\le Ad{v}_{\Pi }^{IND-CPA}\left(\mathcal{B}\right)+Ad{v}_{\Pi }^{INT-CTXT}\left(\mathcal{C}\right),\end{array}$$

where $\mathcal{B}$ and $\mathcal{C}$ each make at most q queries of at most σ blocks and run in time $O\left(t\right)$ each.

Subtle Authenticated Encryption (SAE). An SAE scheme $\Pi =(\mathcal{E},\mathcal{D},\Lambda )$ introduced by Barwell et al. [26] includes a new deterministic leakage algorithm $\Lambda :\mathcal{K}\times \mathcal{N}\times \mathcal{H}\times \mathcal{C}\times \mathcal{T}\to \{\top \}\cup \mathcal{L}$ in addition to the encryption and decryption algorithms $\mathcal{E}$ and $\mathcal{D}$ as above, where $\mathcal{L}$ is a non-empty leakage space.

Definition 6 

(ERR-CCA Advantage [26,27]). Let $\mathcal{A}$ be an adversary that has access to an encryption oracle $\mathcal{E}$, a decryption oracle $\mathcal{D}$, and a leakage oracle Λ but does not make repeated queries. Then, the ERR-CCA advantage of $\mathcal{A}$ against Π is defined as

$$\begin{array}{c}\hfill Ad{v}_{\Pi }^{ERR-CCA}\left(\mathcal{A}\right)=\mid Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K,{\Lambda }_K}=1]-Pr[K,K^{\prime }\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K,{\Lambda }_{K^{\prime }}}=1]\mid .\end{array}$$

Definition 7 

(SAE Advantage [26,27]). Let $\mathcal{A}$ be an adversary that has access to an encryption oracle $\mathcal{E}$, a decryption oracle $\mathcal{D}$, and a leakage oracle Λ but does not make repeated queries. Then, the SAE advantage of $\mathcal{A}$ against Π is defined as

$$\begin{array}{c}\hfill Ad{v}_{\Pi }^{SAE}\left(\mathcal{A}\right)=\mid Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K,{\Lambda }_K}=1]-Pr[K^{\prime }\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{\$,\perp ,{\Lambda }_{K^{\prime }}}=1]\mid \end{array}$$

where $ is the ideal version of ${\mathcal{E}}_K$ and ⊥ is a reject function that always returns a reject symbol.

Lemma 2 

(Decomposition of SAE Security [26,27]). Let $\mathcal{A}$ run in time at most t and ask at most q queries of at most σ blocks to its respective oracles. Then, there exist computationally bounded IND-CPA, INT-CTXT, and ERR-CCA adversaries $\mathcal{B}$, $\mathcal{C}$, and $\mathcal{D}$, respectively, on Π such that

$$\begin{array}{c}\hfill Ad{v}_{\Pi }^{SAE}\left(\mathcal{A}\right)\le Ad{v}_{\Pi }^{IND-CPA}\left(\mathcal{B}\right)+Ad{v}_{\Pi }^{INT-CTXT}\left(\mathcal{C}\right)+Ad{v}_{\Pi }^{ERR-CCA}\left(\mathcal{D}\right),\end{array}$$

where $\mathcal{B}$, $\mathcal{C}$, and $\mathcal{D}$ each make at most q queries of at most σ blocks and run in time $O\left(t\right)$ each.

AXU Hash Functions [27]. Let $H:{\mathcal{K}}_H\times {\{0,1\}}^{\ast }\to {\{0,1\}}^n$ be a hash function, where ${\mathcal{K}}_H$ is a non-empty hash key space. Let L be a hash key randomly drawn from ${\mathcal{K}}_H$. If, for any distinct $x,x^{\prime }\in {\{0,1\}}^{\ast }$ and $y\in {\{0,1\}}^n$, it holds that

$$\begin{array}{c}\hfill Pr[L\twoheadleftarrow {\mathcal{K}}_H:H_L\left(x\right)\oplus H_L\left(x^{\prime }\right)=y]\le ϵ,\end{array}$$

then H is considered to be $ϵ$ almost XOR universal ($ϵ$-AXU). If $ϵ=2^{-n}$, H is called an XOR universal (XU) hash function.

H-Coefficient Technique [28,29]. The H-coefficient technique introduced by Patarin is a very useful tool in the security proof of symmetric-key cryptography. Assume that $\mathcal{A}$ is a deterministic adversary whose goal is to distinguish the real scheme X from the ideal scheme Y. $\mathcal{A}$ interacts with X and Y and records a series of query–response pairs as a transcript $\tau$. Let $\Gamma$ be the set of all possible transcripts. Let $X_{re}$ be the random variable interacting with X and $Y_{id}$ be the random variable interacting with Y. Then, the H-coefficient lemma is presented as follows.

Lemma 3 

(H-Coefficient Lemma [29]). Let $\Gamma ={\Gamma }_{good}\cup {\Gamma }_{bad}$ and $\epsilon ,\delta \in [0,1]$. If $Pr[Y_{id}\in {\Gamma }_{bad}]\le \epsilon$ and for all $\tau \in {\Gamma }_{good}$, $Pr[X_{re}=\tau ]/Pr[Y_{id}=\tau ]\ge 1-\delta$, then

$$\begin{array}{c}\hfill |Pr[{\mathcal{A}}^X=1]-Pr[{\mathcal{A}}^Y=1]|\le \epsilon +\delta .\end{array}$$

O extends $\tau$. Given a transcript $\tau =\{(x_1,y_1),\dots ,(x_q,y_q)\}$ and an oracle O, if $O\left(x_i\right)=y_i$ for all $i\in \left[q\right]$, we consider that O extends $\tau$, which is symbolized as $O⊢\tau$.

3. Extended Mirror Theory

Let $\mathcal{E}={\mathcal{E}}^{=}\cup {\mathcal{E}}^{\ne }$ be the following affine system of bi-variate equations and non-equations [30,31]:

$$\begin{array}{c}\hfill {\mathcal{E}}^{=}\left\{\begin{array}{cc}& X_1\oplus Y_1={\lambda }_1\hfill \\ & X_2\oplus Y_2={\lambda }_2\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & X_q\oplus Y_q={\lambda }_q\hfill \end{array}\right.{\mathcal{E}}^{\ne }\left\{\begin{array}{cc}& X_1^{\prime }\oplus Y_1^{\prime }\ne {\lambda }_1^{\prime }\hfill \\ & X_2^{\prime }\oplus Y_2^{\prime }\ne {\lambda }_2^{\prime }\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & X_{q_v}^{\prime }\oplus Y_{q_v}^{\prime }\ne {\lambda }_{q_v}^{\prime }\hfill \end{array}\right.\end{array}$$

The affine system $\mathcal{E}$ can be described as an undirected weighted graph $G=<V,E,W>$ or bipartite graph $G=<V_1,V_2,E,W>$, where the vertex set $V=V_1\cup V_2$, the edge set E, and the weighted function W are, respectively,

$$\begin{array}{cc}& V_1=\{X_1,\dots ,X_q,X_1^{\prime },\dots ,X_{q_v}^{\prime }\},V_2=\{Y_1,\dots ,Y_q,Y_1^{\prime },\dots ,Y_{q_v}^{\prime }\},\hfill \\ & E=\{e=(X,Y)\}\cup \{e^{\prime }=(X^{\prime },Y^{\prime })\},\hfill \\ & W:E\to {\{0,1\}}^n.\hfill \end{array}$$

Let $G^{=}=<V^{=},E^{=},W>$ be the subgraph of G induced by ${\mathcal{E}}^{=}$. We assume that $G^{=}$ is divided into $\alpha$ components with more than two vertexes and $\beta$ components with only two vertexes, i.e., $G^{=}=C_1\cup \dots \cup C_{\alpha }\cup D_1\cup \dots \cup D_{\beta }$.

We say that graph G is good if it satisfies the following three conditions:

• $G^{=}$ must be acylic, i.e., $G^{=}$ has no graph cycles.
• $W\left(\mathcal{P}\right)\ne 0$ for all paths $\mathcal{P}$ in the graph $G^{=}$, where $W\left(\mathcal{P}\right)={\sum }_{e\in \mathcal{P}}W\left(e\right)$.
• $W\left(\mathcal{C}\right)\ne 0$ for all cycles $\mathcal{C}$ with exactly one non-equation edge $e^{\prime }$ (the remaining edges are the equation edges) in the graph G, where $W\left(\mathcal{C}\right)={\sum }_{e\in \mathcal{C}}W\left(e\right)$.

For a bipartite graph G, we say that G is good if it satisfies the following three conditions:

• $G^{=}$ must be acylic, i.e., $G^{=}$ has no graph cycles.
• $W\left(\mathcal{P}\right)\ne 0$ for all paths $\mathcal{P}$ with an even length in the graph $G^{=}$, where $W\left(\mathcal{P}\right)={\sum }_{e\in \mathcal{P}}W\left(e\right)$.
• $W\left(\mathcal{C}\right)\ne 0$ for all cycles $\mathcal{C}$ with an even length containing exactly one non-equation edge $e^{\prime }$ (the remaining edges are the equation edges) in the graph G, where $W\left(\mathcal{C}\right)={\sum }_{e\in \mathcal{C}}W\left(e\right)$.

Lemma 4 

(Graph Description of Extended Mirror Theory [30]). Let $G=<V,E,W>$ be a good undirected weighted graph induced by $\mathcal{E}$, and $\left|V\right|=r,\left|E\right|=q+q_v$. Let $q_c$ be the total edges of components with more than two vertexes. Then, the number of solutions to $\mathcal{E}$ that are chosen from ${\{0,1\}}^n$ is at least

$$\begin{array}{c}\hfill \frac{{\left(2^n\right)}_r}{2^{nq}}(1-\frac{9q_c^2}{4·2^n}-\frac{9q_c^{2}q+24q_c{q}^2+6q_{c}q+40q^2}{2^{2n}}-\frac{16q^4}{2^{3n}}-\frac{7q_v}{2^n}).\end{array}$$

Lemma 5 

(Bipartite Graph Description of Extended Mirror Theory [30]). Let $G=<V_1,V_2,E,$$W>$ be a good undirect weighted bipartite graph induced by $\mathcal{E}$, and $|V_1|=q^{\prime },|V_2|=q^{″},q^{\prime }+q^{″}=r,\left|E\right|=q+q_v$. Let $q_c$ be the total edges of components with more than two vertexes. Then, the number of solutions to $\mathcal{E}$ that are chosen from ${\{0,1\}}^n$ is at least

$$\begin{array}{c}\hfill \frac{{\left(2^n\right)}_{q^{\prime }}{\left(2^n\right)}_{q^{″}}}{2^{nq}}(1-\frac{9q_c^2}{4·2^n}-\frac{9q_c^{2}q+6q_c{q}^2+4q^2}{4·2^{2n}}-\frac{8q^4}{3·2^{3n}}-\frac{5q_v}{2^n}).\end{array}$$

4. GCM-RIV1

We introduce RIV to GCM-SIV1, propose GCM-RIV1, and prove its sAE security. GCM-RIV1 inherits the full security guarantee from GCM-SIV1 and provides stronger security and robustness against the leakage of invalid plaintext.

4.1. Specific Description of GCM-RIV1

Let $H:{\mathcal{K}}_H\times \mathcal{N}\times \mathcal{H}\times {\{0,1\}}^{\ast }\to {\{0,1\}}^n$ be an $ϵ$ AXU hash function, and $E:{\mathcal{K}}_E\times {\{0,1\}}^n\to {\{0,1\}}^n$ be a block cipher, where ${\mathcal{K}}_H$ is a hash key space, $\mathcal{N}$ is a nonce space, $\mathcal{H}$ is an associated data space, ${\mathcal{K}}_E$ is an encryption key space, and n is the block size.

According to the idea of RIV, firstly, a nonce $N\in \mathcal{N}$, an associated datum $A\in \mathcal{H}$, and a plaintext $M\in {\{0,1\}}^{\ast }$ can be processed by a function constructed by a hash function H with a hash key $L\in {\mathcal{K}}_H$ and a block cipher E with an encryption key $K\in {\mathcal{K}}_E$ to generate a robust initialization vector $V\in {\{0,1\}}^n$. Then, the initialization vector V and the plaintext M are taken as inputs of the CounTeR (CTR) encryption algorithm with a block cipher $E_K$ and return the ciphertext C. Again, the nonce N, the associated datum A, and the ciphertext C are processed by the function constructed by a hash function H with a hash key L and a block cipher E with an encryption key K and then it returns S. Finally, S is added to V to generate the authentication tag $T\in {\{0,1\}}^n$.

The overview of GCM-RIV1 is illustrated in Figure 1. The key generation, encryption, decryption, leakage, GHASH, and CTR algorithms are shown in Algorithms 1, 2, 3, 4, 5 and 6, respectively.

Algorithm 1 The key generation algorithm: $\mathcal{KG}$

Input: a key parameter k Output: two keys $(L,K)$ $(L,K)\stackrel{\$}{\leftarrow }{\mathcal{K}}_H\times {\mathcal{K}}_E$ return$(L,K)$

Algorithm 2 The encryption algorithm: $\mathcal{E}$

Input: two keys $(L,K)$, a nonce N, an associated datum A, and a plaintext M Output: a ciphertext C and a tag T $I=H_L(N,A,M)=GHAS{H}_L(A,M)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $V=E_K\left(I\right)$ $C=CT{R}_K(V,M)$ $J=H_L(N,A,C)=GHAS{H}_L(A,C)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $S=E_K\left(J\right)$ $T=V\oplus S$ return$(C,T)$

Algorithm 3 The decryption algorithm: $\mathcal{D}$

Input: two keys $(L,K)$, a nonce N, an associated datum A, a ciphertext C, and a tag T Output: a plaintext M or ⊥ $J=H_L(N,A,C)=GHAS{H}_L(A,C)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $S=E_K\left(J\right)$ $V=T\oplus S$ $M=CT{R}_K(V,C)$ $I=H_L(N,A,M)=GHAS{H}_L(A,M)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $V^{\prime }=E_K\left(I\right)$ if $V^{\prime }=V$, return M else return ⊥ (INVALID) endif

Algorithm 4 The leakage algorithm: $\Lambda$

Input: two keys $(L,K)$, a nonce N, an associated datum A, a ciphertext C, and a tag T Output: a leaking invalid plaintext M or ⊤ $J=H_L(N,A,C)=GHAS{H}_L(A,C)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $S=E_K\left(J\right)$ $V=T\oplus S$ $M=CT{R}_K(V,C)$ $I=H_L(N,A,M)=GHAS{H}_L(A,M)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $V^{\prime }=E_K\left(I\right)$ if $V^{\prime }=V$, return ⊤ else return M endif

Algorithm 5 GHASH algorithm: $GHAS{H}_L(A,M)$

Input: a key L, an associated datum A, and a plaintext M Output: a hash value h $A^{+}\leftarrow A\left|\right|0^{n-\left|A\right|modn}$, $M^{+}\leftarrow M\left|\right|0^{n-\left|M\right|modn}$ $X\leftarrow A^{+}\left|\right|M^{+}{\left|\right|\left[\right|A\left|\right]}_{n/2}{\left|\right|\left[\right|M\left|\right]}_{n/2}$ $X_1\parallel \dots \parallel X_x\leftarrow X$, $|X_i|=n,1\le i\le x$ $h\leftarrow 0$ for $i=1$ to x do      $h\leftarrow (h\oplus X_i)·L$ endfor return h

Algorithm 6 CTR algorithm: $CT{R}_K(V,M)$

Input: a key K, an initial vector V, and a plaintext M Output: a ciphertext C Partition M into $M_1\parallel \dots \parallel M_m$, $|M_i|=n,1\le i\le m-1,0<|M_m|\le n$ for $i=1$ to $m-1$ do      $C_i\leftarrow E_K(V+i)\oplus M_i$ endfor $C_m\leftarrow ms{b}_{|M_m|}\left(E_K(V+m)\right)\oplus M_m$ return $C=C_1\left|\right|C_2\left|\right|\dots \left|\right|C_m$

4.2. Security of GCM-RIV1

We present the information-theoretic security proof of GCM-RIV1 under the assumption that the underlying block cipher is a secure pseudorandom permutation.

Theorem 1. 

Let H be an ϵ-AXU hash function. Let $\mathcal{A}$ be an adversary against GCM-RIV1 that makes at most q queries with at most σ blocks in total. Then, there exists an adversary $\mathcal{B}$ against E that makes at most $7(2q+\sigma )$ queries, and one has

$$\begin{array}{c}\hfill Ad{v}_{GCM-RIV1}^{SAE}\left(\mathcal{A}\right)\le Ad{v}_E^{PRP}\left(\mathcal{B}\right)+\frac{6{(q+\sigma )}^2+3q}{2^n}+12q^2ϵ.\end{array}$$

Proof. 

The idea of the proof depends on the decomposition of the SAE security model. Thus, calculating the upper bound on $Ad{v}_{GCM-RIV1}^{SAE}\left(\mathcal{A}\right)$ is transformed into calculating the upper bounds of $Ad{v}_{GCM-RIV1}^{IND-CPA}\left({\mathcal{A}}_1\right)$, $Ad{v}_{GCM-RIV1}^{INT-CTXT}\left({\mathcal{A}}_2\right)$, and $Ad{v}_{GCM-RIV1}^{ERR-CCA}\left({\mathcal{A}}_3\right)$, where ${\mathcal{A}}_1,{\mathcal{A}}_2$ and ${\mathcal{A}}_3$ are IND-CPA, INT-CTXT, and ERR-CCA adversaries against GCM-RIV1, respectively, and each makes at most q queries of at most $\sigma$ blocks.

First, we upper-bound $Ad{v}_{GCM-RIV1}^{IND-CPA}\left({\mathcal{A}}_1\right)$. In the IND-CPA security model, the adversary ${\mathcal{A}}_1$ makes q queries to the encryption oracle ${\mathcal{E}}_K$ (real scheme GCM-RIV1) or $ (ideal version of GCM-RIV1). According to Definition 3, one has

$$\begin{array}{c}\hfill Ad{v}_{GCM-RIV1}^{IND-CPA}\left({\mathcal{A}}_1\right)=\mid Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K}=1]-Pr[{\mathcal{A}}^{\$}=1]\mid \end{array}$$

We replace the block ciphers $E_K$ in GCM-RIV1 with a random permutation $\pi$, which costs $Ad{v}_E^{PRP}\left(\mathcal{B}\right)$ for a PRP adversary $\mathcal{B}$ against E with at most $q+\sigma$ queries.

We assume that the adversary ${\mathcal{A}}_1$ makes q queries $(N^1,A^1,M^1),\dots ,(N^q,A^q,M^q)$ to the encryption oracle and it reruns $(C^1,T^1),\dots ,(C^q,T^q)$. We record all query–response pairs as a transcript $\tau =\{(N^1,A^1,M^1,C^1,T^1),\dots ,(N^q,A^q,M^q,C^q,T^q)\}$.

According to the H-coefficient lemma (Lemma 3), here, we first define a bad transcript and then state the probability of a bad transcript in the ideal world.

Definition 8. 

A transcript τ is called bad if one of the following events holds:

1. 

Collisions occur between the outputs of the ϵ-AXU hash function $H_L$.

• Bad1: $I^i=I^j$ ($V^i=V^j$) for any $1\le i\ne j\le q$.
• Bad2: $J^i=J^j$ ($S^i=S^j$) for any $1\le i\ne j\le q$.
• Bad3: $I^i=J^j$ ($V^i=S^j$) for any $1\le i,j\le q$.

2. 

Collisions occur between the inputs or outputs of π.

• Bad4: $V^i+k=V^j+l$ for any $1\le i,j\le q$, $1\le k\le m^i,1\le l\le m^j$, and $(i,k)\ne (j,l)$.
• Bad5: $V^i+k=I^j$ for any $1\le i,j\le q$, $1\le k\le m^i$.
• Bad6: $V^i+k=J^j$ for any $1\le i,j\le q$, $1\le k\le m^i$.

3. 

Collisions occur between the authentication tags.

• Bad7: $T^i=T^j$ for any $1\le i\ne j\le q$.

Let ${\Gamma }_{bad}$ be a set of all bad transcripts, $\Gamma$ be a set of all transcripts, and $\Gamma ={\Gamma }_{bad}\cup {\Gamma }_{good}$. Let $X_{re}$ be the random variable interacting with the real scheme GCM-RIV1[$\pi$] and $Y_{id}$ be the random variable interacting with the ideal version. We first upper-bound the probability $Pr[Y_{id}\in {\Gamma }_{bad}]$.

For the event Bad1, given any two distinct tuples of the nonce, the associated data, and the plaintext $(N^i,A^i,M^i)\ne (N^j,A^j,M^j)$, according to the properties of the $ϵ$-AXU hash function H, the probability of $I^i=I^j$ is

$$\begin{array}{c}\hfill Pr[I^i=I^j]=Pr[H_L(N^i,A^i,M^i)=H_L(N^j,A^j,M^j)]\le ϵ.\end{array}$$

Therefore, for q queries, one has

$$\begin{array}{c}\hfill Pr\left[Bad1\right]=\sum _{1\le i\ne j\le q}Pr[I^i=I^j]\le q^2ϵ/2.\end{array}$$

Similarly, for the event Bad2, one has $Pr\left[Bad2\right]={\sum }_{1\le i\ne j\le q}Pr[J^i=J^j]\le q^2ϵ/2$.

For the event Bad3, one has $Pr\left[Bad3\right]={\sum }_{1\le i,j\le q}Pr[I^i=J^j]\le q^2ϵ$.

For the event Bad4, according to $\sigma ={\sum }_{1\le i\le q}{m}^i={\sum }_{1\le j\le q}{m}^j$, one has

$$\begin{array}{cc}\hfill Pr\left[Bad4\right]& =\sum _{1\le i\ne j\le q}\sum _{1\le k\le m^i,1\le l\le m^j}Pr[V^i+k=V^j+l]+\sum _{1\le i\le q}\sum _{1\le k\ne l\le m^i}Pr[V^i+k=V^j+l]\hfill \\ & \le {\sigma }^2/2^n.\hfill \end{array}$$

For the event Bad5, according to the properties of the $ϵ$-AXU hash function H, the probability of $V^i+k=I^j$ is

$$\begin{array}{c}\hfill Pr[V^i+k=I^j]=Pr[V^i+k=H_L(N^j,A^j,M^j)]\le 1/2^n.\end{array}$$

Therefore, for q queries, according to $\sigma ={\sum }_{1\le i\le q}{m}^i$, one has

$$\begin{array}{c}\hfill Pr\left[Bad5\right]=\sum _{1\le i,j\le q}\sum _{1\le k\le m^i}Pr[V^i+k=I^j]\le q\sigma /2^n.\end{array}$$

Similarly, for the event Bad6, $Pr\left[Bad6\right]={\sum }_{1\le i,j\le q}{\sum }_{1\le k\le m^i}Pr[V^i+k=J^j]\le q\sigma /2^n$.

For the event Bad7, one has $Pr\left[Bad7\right]={\sum }_{1\le i\ne j\le q}Pr[T^i=T^j]\le q^2/2^{n+1}$.

To sum up, one has

$$\begin{array}{c}\hfill Pr[Y_{id}\in {\Gamma }_{bad}]=\bigcup _{1\le i\le 7}Pr\left[Badi\right]\le \sum _{1\le i\le 7}Pr\left[Badi\right]\le \frac{{(q+\sigma )}^2}{2^n}+2q^2ϵ.\end{array}$$

In the good transcript $\tau$, we bound the ratio between $Pr[X_{re}=\tau ]$ and $Pr[Y_{id}=\tau ]$.

For the real scheme GCM-RIV1[$\pi$], one has

$$\begin{array}{cc}\hfill Pr[X_{re}=\tau ]& =Pr[\pi \in Perm(n):GCM-RIV1[\pi ]⊢\tau ]\hfill \\ & =\frac{|\pi \in Perm(n):GCM-RIV1[\pi ]⊢\tau |}{\left|Perm\right(n\left)\right|}\hfill \\ & =\frac{(2^n-(q+\sigma ))!}{\left(2^n\right)!}=\frac{1}{{\left(2^n\right)}_{q+\sigma }}\ge \frac{1}{2^{(q+\sigma )n}}.\hfill \end{array}$$

For the ideal version $, one has

$$\begin{array}{c}\hfill Pr[Y_{id}=\tau ]=Pr[\$\in Func(\left|N\right|+\left|A\right|+\left|M\right|,(q+\sigma )n):\$⊢\tau ]=\frac{1}{2^{(q+\sigma )n}}.\end{array}$$

Therefore, the ratio between $Pr[X_{re}=\tau ]$ and $Pr[Y_{id}=\tau ]$ is $\frac{Pr[X_{re}=\tau ]}{Pr[Y_{id}=\tau ]}\ge 1$.

Therefore, according to the H-coefficient technique, for a PRP adversary $\mathcal{B}$ against E with at most $q+\sigma$ queries, one has

$$\begin{array}{c}\hfill Ad{v}_{GCM-RIV1}^{IND-CPA}\left({\mathcal{A}}_1\right)\le Ad{v}_E^{PRP}\left(\mathcal{B}\right)+\frac{{(q+\sigma )}^2}{2^n}+2q^2ϵ.\end{array}$$

Then, we upper-bound $Ad{v}_{GCM-RIV1}^{INT-CTXT}\left({\mathcal{A}}_2\right)$. In the INT-CTXT security model, the adversary ${\mathcal{A}}_2$ has access to encryption and decryption oracles ${\mathcal{E}}_K$ and ${\mathcal{D}}_K$, with at most q queries of at most $\sigma$ blocks each. According to Definition 4, one has

$$\begin{array}{c}\hfill Ad{v}_{GCM-RIV1}^{INT-CTXT}\left(\mathcal{A}\right)=Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K}forges].\end{array}$$

The evaluation of $Ad{v}_{GCM-RIV1}^{INT-CTXT}\left({\mathcal{A}}_2\right)$ is similar to the above. Therefore, we briefly describe it here. In the decryption oracle, for every fresh tuple of the nonce, the associated data, and the plaintext, the $ϵ$-AXU hash function H generates an identical I or V with $ϵ$ probability. Similarly, for every fresh tuple of the nonce, the associated data, and the ciphertext, the $ϵ$-AXU hash function H generates an identical J or S with $ϵ$ probability. Therefore, the adversary makes q queries to bring at most approximately $q^2ϵ$ collision probabilities. In addition, I may collide with J, which brings about $q^2ϵ$ collision probabilities. For each fresh V, CTR will generate a random key-stream. According to the result of the CTR mode, it costs $Ad{v}_E^{PRP}\left(\mathcal{B}\right)+\frac{{\sigma }^2}{2^n}$. Similarly, collisions may occur between the authentication tags, which cost $\frac{q^2}{2^{n+1}}$. Besides this, $V+1,V+2,\dots$ may collide with I or J, which costs $\frac{2q\sigma }{2^n}$. For each new tuple of the nonce, the associated data, the ciphertext, and the authentication tag, the probability that the decryption algorithm passes the verification is at most $q/2^n$. Therefore, for a PRP adversary $\mathcal{B}$ against E with at most $2(2q+\sigma )$ queries, one has

$$\begin{array}{c}\hfill Ad{v}_{GCM-RIV1}^{INT-CTXT}\left({\mathcal{A}}_2\right)\le Ad{v}_E^{PRP}\left(\mathcal{B}\right)+\frac{{(q+\sigma )}^2+q}{2^n}+2q^2ϵ.\end{array}$$

Finally, we upper-bound $Ad{v}_{GCM-RIV1}^{ERR-CCA}\left({\mathcal{A}}_3\right)$. In the ERR-CCA security model, the adversary ${\mathcal{A}}_3$ has access to encryption, decryption, and leakage oracles, with at most q queries of at most $\sigma$ blocks each. According to Definition 6, one has

$$\begin{array}{c}\hfill Ad{v}_{GCM-RIV1}^{ERR-CCA}\left(\mathcal{A}\right)=\mid Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K,{\Lambda }_K}=1]-Pr[K,K^{\prime }\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K,{\Lambda }_{K^{\prime }}}=1]\mid .\end{array}$$

Similar to the cases above, the probability of bad events (collisions occur) in the encryption or decryption oracles is upper-bounded by $Ad{v}_E^{PRP}\left(\mathcal{B}\right)+\frac{{(q+\sigma )}^2}{2^n}+2q^2ϵ$. In the leakage algorithm $\Lambda$, for two distinct dummy keys $K,K^{\prime }$, the probability of bad events (collisions occur) is also upper-bounded by $Ad{v}_E^{PRP}\left(\mathcal{B}\right)+\frac{{(q+\sigma )}^2}{2^n}+2q^2ϵ$. Besides this, for each new tuple of the nonce, the associated data, the ciphertext, and the authentication tag, the probability that the leakage algorithm passes the verification is at most $q/2^n$. Therefore, for a PRP adversary $\mathcal{B}$ against E with at most $4(2q+\sigma )$ queries, one has

$$\begin{array}{c}\hfill Ad{v}_{GCM-RIV1}^{ERR-CCA}\left({\mathcal{A}}_3\right)\le Ad{v}_E^{PRP}\left(\mathcal{B}\right)+\frac{4{(q+\sigma )}^2+2q}{2^n}+8q^2ϵ.\end{array}$$

To summarize, according to Lemma 2, the SAE security of GCM-RIV1 is upper-bounded by

$$\begin{array}{c}\hfill Ad{v}_{GCM-RIV1}^{SAE}\left(\mathcal{A}\right)\le Ad{v}_E^{PRP}\left(\mathcal{B}\right)+\frac{6{(q+\sigma )}^2+3q}{2^n}+12q^2ϵ.\end{array}$$

The security proof of Theorem 1 is finished.    □

Theorem 1 shows that GCM-RIV1 enjoys birthday-bound SAE security with $n/2$-bit and nonce-misuse resistance if the underlying block cipher is a secure PRP and $ϵ=2^{-n}$.

5. GCM-RIV2

To support beyond-birthday-bound (BBB) security, we introduce the sum of permutation (SoP) construction to GCM-RIV1, propose GCM-RIV2, and prove its sAE security. GCM-RIV2 provides stronger BBB security and robustness against the leakage of invalid plaintext.

5.1. Specific Description of GCM-RIV2

Before describing the specific scheme, let us explain our design idea. In the beginning, we wished to construct it based on GCM-SIV2. GCM-SIV2 is a BBB-secure nonce-based AE scheme and it follows SIV. Similar to GCM-RIV1, we introduce RIV instead of SIV to GCM-SIV2 and invoke two extra hash functions to generate two initialization vectors. In the encryption algorithm of GCM-SIV2, two initialization vectors are taken as the inputs of the SoP-based CTR-like mode to generate the key-stream and then the result is XORed to the plaintext to generate the ciphertext. Meanwhile, two initialization vectors are taken as the inputs of an SoP construction to generate the authentication tag. However, we found that the design obtained in this way is very inefficient. To improve the efficiency while ensuring BBB security, we utilize an initialization vector and a nonce instead of two initialization vectors so that we can perform pre-calculations during the encryption and decryption. Let us name this new scheme GCM-RIV2. The encryption part of GCM-RIV2 is an SoP-based CTR-like mode that ensures BBB security. The authentication part of GCM-RIV2 is an XOR construction of two pseudorandom values, which ensures BBB security.

We specifically describe GCM-RIV2 as follows. Let $H:{\mathcal{K}}_H\times \mathcal{N}\times \mathcal{H}\times {\{0,1\}}^{\ast }\to {\{0,1\}}^n$ be an $ϵ$-AXU-hash function and $E:{\mathcal{K}}_E\times {\{0,1\}}^n\to {\{0,1\}}^n$ be a block cipher, where ${\mathcal{K}}_H$ is a hash key space, $\mathcal{N}$ is a nonce space, $\mathcal{H}$ is an associated data space, ${\mathcal{K}}_E$ is an encryption key space, and n is the block size.

According to the idea of RIV, firstly, a nonce $N\in \mathcal{N}$, an associated datum $A\in \mathcal{H}$, and a plaintext $M\in {\{0,1\}}^{\ast }$ can be processed by a function constructed by a hash function H with a hash key $L\in {\mathcal{K}}_H$ and a block cipher E with an encryption key $K\in {\mathcal{K}}_E$ to generate a robust initialization vector $V\in {\{0,1\}}^n$. Then, the initialization vector V, the nonce N, and the plaintext M are taken as inputs of the SoP-based CTR encryption algorithm with two block ciphers $E_{K_1}$ and $E_{K_2}$ and return the ciphertext C. Again, the nonce N, the associated datum A, and the ciphertext C are processed by the function constructed by a hash function H with a hash key L and a block cipher E with an encryption key K and then it returns S. Finally, S is added to V to generate the authentication tag $T\in {\{0,1\}}^n$.

The overview of GCM-RIV2 is illustrated in Figure 2.

The key generation, encryption, decryption, leakage, and SoP-based CTR algorithms are shown in Algorithms 7, 8, 9, 10 and 11, respectively.

Algorithm 7 The key generation algorithm: $\mathcal{KG}$

Input: a key parameter k Output: four keys $(K,K_1,K_2,L)$ $(K,K_1,K_2,L)\stackrel{\$}{\leftarrow }\mathcal{K}=({\mathcal{K}}_E,{\mathcal{K}}_E,{\mathcal{K}}_E,{\mathcal{K}}_H)$ return $(K,K_1,K_2,L)$

Algorithm 8 The encryption algorithm: $\mathcal{E}$

Input: four keys $(K,K_1,K_2,L)$, a nonce N, an associated datum A, and a plaintext M Output: a ciphertext C and a tag T $I=H_L(N,A,M)=GHAS{H}_L(A,M)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $V=E_K\left(I\right)$ $C=SCT{R}_{K_1,K_2}(V,N,M)$ $J=H_L(N,A,C)=GHAS{H}_L(A,C)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $S=E_K\left(J\right)$ $T=S\oplus V$ return $(C,T)$

Algorithm 9 The decryption algorithm: $\mathcal{D}$

Input: four keys $(K,K_1,K_2,L)$, a nonce N, an associated datum A, a ciphertext C, and a tag T Output: a plaintext M or ⊥ $J=H_L(N,A,C)=GHAS{H}_L(A,C)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $S=E_K\left(J\right)$ $V=S\oplus T$ $M=SCT{R}_{K_1,K_2}(V,N,C)$ $I=H_L(N,A,M)=GHAS{H}_L(A,M)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $V^{\prime }=E_K\left(I\right)$ if $V^{\prime }=V$, return M else return ⊥ (INVALID) endif

Algorithm 10 The leaking algorithm: $\Lambda$

Input: four keys $(K,K_1,K_2,L)$, a nonce N, an associated datum A, a ciphertext C, and a tag T Output: a leaking invalid plaintext M or ⊤ $J=H_L(N,A,C)=GHAS{H}_L(A,C)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $S=E_K\left(J\right)$ $V=S\oplus T$ $M=SCT{R}_{K_1,K_2}(V,N,C)$ $I=H_L(N,A,M)=GHAS{H}_L(A,M)\oplus N\left|\right|{\left[0\right]}_{\frac{n}{4}}$ $V^{\prime }=E_K\left(I\right)$ if $V^{\prime }=V$, return ⊤ else return M endif

Algorithm 11 SoP-based CTR algorithm: $SCT{R}_{K_1,K_2}(V,N,M)$

Input: two keys $K_1,K_2$, an initial vector V, a nonce N, and a plaintext M Output: a ciphertext C Partition M into $M_1\parallel \dots \parallel M_m$, $|M_i|=n,1\le i\le m-1,0<|M_m|\le n$ for $i=1$ to $m-1$ do      $C_i\leftarrow E_{K_1}(V+i)\oplus E_{K_2}{\left(N\right||\left[i\right]}_{\frac{n}{4}})\oplus M_i$ endfor $C_m\leftarrow ms{b}_{|M_m|}(E_{K_1}(V+m)\oplus E_{K_2}{\left(N\right||\left[m\right]}_{\frac{n}{4}}\left)\right)\oplus M_m$ return $C=C_1\left|\right|C_2\left|\right|\dots \left|\right|C_m$

5.2. Security of GCM-RIV2

We present the information-theoretic security proof of GCM-RIV2 under the assumption that the underlying block cipher is a secure pseudorandom permutation.

Theorem 2. 

Let H be an ϵ-AXU hash function. Let $\mathcal{A}$ be an adversary against GCM-RIV2 that makes at most q queries with at most σ blocks in total. Then, there exists an adversary $\mathcal{B}$ against E that makes at most $7(2q+2\sigma )$ queries, and one has

$$\begin{array}{cc}\hfill Ad{v}_{GCM-RIV2}^{SAE}\left(\mathcal{A}\right)\le & Ad{v}_E^{PRP}\left(\mathcal{B}\right)++12q^{4/3}ϵ+\frac{6{\sigma }^{4/3}}{2^{n+1}}+\frac{6q^{4/3}}{2^{n+1}}+\frac{12\sigma {\mu }^2}{2^n}+\frac{6{\sigma }^2}{2^{2n}}+6q^2{ϵ}^2\hfill \\ & +\frac{12q^2ϵ}{2^n}+\frac{4{\sigma }^2{\mu }^2}{2^{2n}}+\frac{8q^2{ϵ}^2}{2^n}+\frac{486{\sigma }^{4/3}+26\sigma +1752q^{4/3}+412q}{2^n}.\hfill \end{array}$$

Proof. 

Similar to the security proof of Theorem 1, according to the decomposition of SAE security, calculating the upper bound on $Ad{v}_{GCM-RIV2}^{SAE}\left(\mathcal{A}\right)$ is transformed into calculating the upper bounds of $Ad{v}_{GCM-RIV2}^{IND-CPA}\left({\mathcal{A}}_1\right)$, $Ad{v}_{GCM-RIV2}^{INT-CTXT}\left({\mathcal{A}}_2\right)$, and $Ad{v}_{GCM-RIV2}^{ERR-CCA}\left({\mathcal{A}}_3\right)$, where ${\mathcal{A}}_1,{\mathcal{A}}_2$ and ${\mathcal{A}}_3$ are IND-CPA, INT-CTXT, and ERR-CCA adversaries against GCM-RIV2, respectively, and each makes at most q queries of at most $\sigma$ blocks.

First, we upper-bound $Ad{v}_{GCM-RIV2}^{IND-CPA}\left({\mathcal{A}}_1\right)$. In the IND-CPA security model, the adversary ${\mathcal{A}}_1$ makes q queries to the encryption oracle $\mathcal{E}$ (real scheme GCM-RIV2) or $ (ideal version of GCM-RIV2).

We replace all block ciphers $E_K$, $E_{K_1}$, and $E_{K_2}$ in GCM-RIV2 with random permutations $\pi$, ${\pi }_1$, and ${\pi }_2$, which costs $Ad{v}_E^{PRP}\left(\mathcal{B}\right)$ for a PRP adversary $\mathcal{B}$ against E with at most $2q+2\sigma$ queries. Then, one has

$$\begin{array}{c}\hfill Ad{v}_{GCM-RIV2}^{IND-CPA}\left({\mathcal{A}}_1\right)\le Ad{v}_E^{PRP}\left(\mathcal{B}\right)+Ad{v}_{GCM-RIV2[\pi ,{\pi }_1,{\pi }_2]}^{IND-CPA}\left({\mathcal{A}}_1\right).\end{array}$$

(1)

We assume that the adversary ${\mathcal{A}}_1$ makes q queries $(N^1,A^1,M^1),\dots ,(N^q,A^q,M^q)$ to the encryption oracle and it reruns $(C^1,T^1),\dots ,(C^q,T^q)$. We record all query–response pairs as a transcript $\tau =\{(N^1,A^1,M^1,C^1,T^1),\dots ,(N^q,A^q,M^q,C^q,T^q)\}$. Then, one has

$$\begin{array}{c}\hfill V:\left\{\begin{array}{cc}& V^1=\pi \left(H_L(N^1,A^1,M^1)\right)\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & V^q=\pi \left(H_L(N^q,A^q,M^q)\right)\hfill \end{array}\right.\end{array}$$

$$\begin{array}{c}\hfill SCTR:\left\{\begin{array}{cc}& {\pi }_1(V^1+1)\oplus {\pi }_2(N^1\left|\right|{\left[1\right]}_{\frac{n}{4}})=M_1^1\oplus C_1^1\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & {\pi }_1(V^1+m^1)\oplus {\pi }_2(N^1\left|\right|{\left[m^1\right]}_{\frac{n}{4}})=M_{m^1}^1\oplus C_{m^1}^1\hfill \\ & {\pi }_1(V^2+1)\oplus {\pi }_2(N^2\left|\right|{\left[1\right]}_{\frac{n}{4}})=M_1^2\oplus C_1^2\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & {\pi }_1(V^2+m^2)\oplus {\pi }_2(N^2\left|\right|{\left[m^2\right]}_{\frac{n}{4}})=M_{m^2}^2\oplus C_{m^2}^2\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & {\pi }_1(V^q+1)\oplus {\pi }_2(N^q\left|\right|{\left[1\right]}_{\frac{n}{4}})=M_1^q\oplus C_1^q\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & {\pi }_1(V^q+m^q)\oplus {\pi }_2(N^q\left|\right|{\left[m^q\right]}_{\frac{n}{4}})=M_{m^q}^q\oplus C_{m^q}^q\hfill \end{array}\right.\end{array}$$

$$\begin{array}{c}\hfill S:\left\{\begin{array}{cc}& S^1=\pi \left(H_L(N^1,A^1,C^1)\right)\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & S^q=\pi \left(H_L(N^q,A^q,C^q)\right)\hfill \end{array}\right.\end{array}$$

$$\begin{array}{c}\hfill T:\left\{\begin{array}{cc}& S^1\oplus V^1=T^1\hfill \\ & S^2\oplus V^2=T^2\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & S^q\oplus V^q=T^q\hfill \end{array}\right.\end{array}$$

According to the H-coefficient lemma (Lemma 3), here, we first define a bad transcript and then state the probability of a bad transcript in the ideal world and the ratio between the probability of good transcripts in the real world and the probability of good transcripts in the ideal world.

After observing, we found that the equations above correspond to two distinct mirror systems: the SCTR mirror system and the T mirror system. Let $X_{i,j}={\pi }_1(V^i+j)$, $Y_{i,j}={\pi }_2(N^i{\left|\right|\left[j\right]}_{\frac{n}{4}})$, and ${\lambda }_{i,j}=M_j^i\oplus C_j^i$, where $i\in \left[q\right],j\in \left[m^i\right]$ and $\sigma ={\sum }_{i\in \left[q\right]}{m}^i$. Let $V_1^{=}$ be a set of vertices ${\left\{X_{i,j}\right\}}_{i\in \left[q\right],j\in \left[m^i\right]}$, $V_2^{=}$ be a set of vertices ${\left\{Y_{i,j}\right\}}_{i\in \left[q\right],j\in \left[m^i\right]}$, $E^{=}$ be a set of edges ${\left\{(X_{i,j},Y_{i,j})\right\}}_{i\in \left[q\right],j\in \left[m^i\right]}$, and $W^{=}:E^{=}\to {\left\{{\lambda }_{i,j}\right\}}_{i\in \left[q\right],j\in \left[m^i\right]}$ be a weighted function. Then, the SCTR mirror system corresponds to a bipartite graph $G_{SCTR}^{=}=<V_1^{=},V_2^{=},E^{=},W^{=}>$. Similarly, the T mirror system corresponds to a graph $G_T^{=}=<V_T^{=},E_T^{=},W_T^{=}>$, where $V_T^{=}={\{S^i,V^i\}}_{i\in \left[q\right]},E_T^{=}={\left\{(S^i,V^i)\right\}}_{i\in \left[q\right]}$ and $W_T^{=}:E_T^{=}\to {\left\{T^i\right\}}_{i\in \left[q\right]}$.

In order to be able to use the extended mirror theory and H-coefficient technique, we need to define bad transcripts.

Definition 9. 

A transcript τ is called bad if one of the following events holds:

1. 

The number of collisions from the outputs of the hash function $H_L$ is larger than $q^{2/3}$.

• Bad1: $|I^i=I^j|\ge q^{2/3}$ or $|V^i=V^j|\ge q^{2/3}$.
• Bad2: $|J^i=J^j|\ge q^{2/3}$ or $|S^i=S^j|\ge q^{2/3}$.
• Bad3: $|I^i=J^j|\ge q^{2/3}$ or $|V^i=S^j|\ge q^{2/3}$.

2. 

The number of collisions from the inputs of ${\pi }_1$ is larger than ${\sigma }^{2/3}$.

• Bad4: $|V^i+k=V^j+l|\ge {\sigma }^{2/3}$.

3. 

The number of collisions from the inputs of ${\pi }_2$ is larger than $q^{2/3}$.

• Bad5: $|N^i=N^j|\ge q^{2/3}$.

4. 

The number of collisions from the authentication tag is larger than $q^{2/3}$.

• Bad6: $|T^i=T^j|\ge q^{2/3}$.

5. 

The constraints of the extended mirror theory include the constraints of the SCTR mirror system (Bad7–Bad9) and the constraints of the the T mirror system (Bad10–Bad15).

• Bad7: There exist distinct $i,k\in \left[q\right]$ such that $X_{i,j}=X_{k,l}$ and $Y_{i,j}=Y_{k,l}$, where $j\in \left[m^i\right]$ and $l\in \left[m^k\right]$, i.e., $V^i+j=V^k+l$ and $N^i{\left|\right|\left[j\right]}_{n/4}=N^k\left|\right|{\left[l\right]}_{n/4}$ (it implies $j=l$).
• Bad8: There exist distinct $i,k\in \left[q\right]$ such that $X_{i,j}=X_{k,l}$ and ${\lambda }_{i,j}={\lambda }_{k,l}$, where $j\in \left[m^i\right]$ and $l\in \left[m^k\right]$, i.e., $V^i+j=V^k+l$ and $M_j^i\oplus C_j^i=M_l^k\oplus C_l^k$.
• Bad9: There exist distinct $i,k\in \left[q\right]$ such that $Y_{i,j}=Y_{k,l}$ and ${\lambda }_{i,j}={\lambda }_{k,l}$, where $j\in \left[m^i\right]$ and $l\in \left[m^k\right]$, i.e., $N^i{\left|\right|\left[j\right]}_{n/4}=N^k\left|\right|{\left[l\right]}_{n/4}$ (it implies $j=l$) and $M_j^i\oplus C_j^i=M_l^k\oplus C_l^k$.
• Bad10: There exist distinct $i,j\in \left[q\right]$ such that $S^i=S^j$ and $V^i=V^j$, i.e., $H_L(N^i,A^i,C^i)$$=H_L(N^j,A^j,C^j)$ and $H_L(N^i,A^i,M^i)=H_L(N^j,A^j,M^j)$.
• Bad11: There exist distinct $i,j\in \left[q\right]$ such that $S^i=S^j$ and $T^i=T^j$, i.e., $H_L(N^i,A^i,C^i)$$=H_L(N^j,A^j,C^j)$ and $T^i=T^j$.
• Bad12: There exist distinct $i,j\in \left[q\right]$ such that $V^i=V^j$ and $T^i=T^j$, i.e., $H_L(N^i,A^i,M^i)$$=H_L(N^j,A^j,M^j)$ and $T^i=T^j$.
• Bad13: There exist distinct $i,j\in \left[q\right]$ such that $S^i=V^j$ and $V^i=S^j$, i.e., $H_L(N^i,A^i,C^i)$$=H_L(N^j,A^j,M^j)$ and $H_L(N^i,A^i,M^i)=H_L(N^j,A^j,C^j)$.
• Bad14: There exist distinct $i,j\in \left[q\right]$ such that $S^i=V^j$ and $T^i=T^j$, i.e., $H_L(N^i,A^i,C^i)$$=H_L(N^j,A^j,M^j)$ and $T^i=T^j$.
• Bad15: There exist distinct $i,j\in \left[q\right]$ such that $V^i=S^j$ and $T^i=T^j$, i.e., $H_L(N^i,A^i,M^i)$$=H_L(N^j,A^j,C^j)$ and $T^i=T^j$.

Let ${\Gamma }_{bad}$ be a set of all bad transcripts, $\Gamma$ be a set of all transcripts, and $\Gamma ={\Gamma }_{bad}\cup {\Gamma }_{good}$. Let $X_{re}$ be the random variable interacting with the real scheme GCM-RIV2[$\pi ,{\pi }_1,{\pi }_2$] and $Y_{id}$ be the random variable interacting with the ideal version. We first upper-bound the probability $Pr[Y_{id}\in {\Gamma }_{bad}]$.

For Bad1, according to the properties of $ϵ$-AXU hash functions, the expectation of $|I^i=I^j|$ for all q queries is $E\left[\right|I^i=I^j\left|\right]=q(q-1)ϵ/2$. Then, according to Markov’s inequality, the probability that Bad1 occurs is

$$\begin{array}{c}\hfill Pr\left[Bad1\right]=Pr\left[\right|I^i=I^j\left|\right]\ge q^{2/3}]\le \frac{E\left[\right|I^i=I^j\left|\right]}{q^{2/3}}\le q^{4/3}ϵ/2.\end{array}$$

Similarly, for Bad2, one has $Pr\left[Bad2\right]\le q^{4/3}ϵ/2$.

For Bad3, according to the properties of $ϵ$-AXU hash functions, the expectation of $|I^i=J^j|$ for all q queries is $E\left[\right|I^i=J^j\left|\right]=q^2ϵ$. Then, according to Markov’s inequality, the probability that Bad1 occurs is

$$\begin{array}{c}\hfill Pr\left[Bad3\right]=Pr\left[\right|I^i=J^j\left|\right]\ge q^{2/3}]\le \frac{E\left[\right|I^i=J^j\left|\right]}{q^{2/3}}\le q^{4/3}ϵ.\end{array}$$

For Bad4, the probability that $V^i+k=V^j+l$ occurs for any $i,j,k,l$ is $2^{-n}$. Therefore, the expectation of $|V^i+k=V^j+l|$ for all $\sigma$ blocks is $E\left[\right|V^i+k=V^j+l\left|\right]\le {\sigma }^2/2^{n+1}$. Then, according to Markov’s inequality, the probability that Bad4 occurs is

$$\begin{array}{c}\hfill Pr\left[Bad4\right]=Pr\left[\right|V^i+k=V^j+l\left|\right]\ge {\sigma }^{2/3}]\le \frac{E\left[\right|V^i+k=V^j+l\left|\right]}{{\sigma }^{2/3}}\le \frac{{\sigma }^{4/3}}{2^{n+1}}.\end{array}$$

For Bad5, we consider the nonce-faulty setting. Let N be a $\mu$-faulty nonce and ${\mu }^2<q^{2/3}$. Therefore, the probability that Bad5 occurs is 0.

For Bad6, the probability that $T^i=T^j$ occurs for any $i,j$ is $2^{-n}$. Therefore, the expectation of $|T^i=T^j|$ for all q blocks is $E\left[\right|T^i=T^j\left|\right]\le q^2/2^{n+1}$. Then, according to Markov’s inequality, the probability that Bad6 occurs is

$$\begin{array}{c}\hfill Pr\left[Bad6\right]=Pr\left[\right|T^i=T^j\left|\right]\ge q^{2/3}]\le \frac{E\left[\right|T^i=T^j\left|\right]}{q^{2/3}}\le \frac{q^{4/3}}{2^{n+1}}.\end{array}$$

For Bad7, the probability that $V^i+j=V^k+l$ occurs for any $i,j,k,l$ is $2^{-n}$ and the number of pairs $(i,k)$ such that $N^i=N^k$ is at most ${\mu }^2$. Then, the probability that Bad7 occurs is

$$\begin{array}{c}\hfill Pr\left[Bad7\right]=\sum _{i,j,k,l}Pr[X_{i,j}=X_{k,l},Y_{i,j}=Y_{k,l}]=\sum _{i,j,k}Pr[V^i+j=V^k+j,N^i=N^k]\le \sigma {\mu }^2/2^n.\end{array}$$

Similarly, for Bad8, the probability that $M_j^i\oplus C_j^i=M_l^k\oplus C_l^k$ occurs for any $i,j,k,l$ is $2^{-n}$. Then, the probability that Bad7 occurs is

$$\begin{array}{cc}\hfill Pr\left[Bad8\right]& =\sum _{i,j,k,l}Pr[X_{i,j}=X_{k,l},{\lambda }_{i,j}={\lambda }_{k,l}]=\sum _{i,j,k,l}Pr[V^i+j=V^k+l,M_j^i\oplus C_j^i=M_l^k\oplus C_l^k]\hfill \\ & \le {\sigma }^2/2^{2n}.\hfill \end{array}$$

For Bad9, one has

$$\begin{array}{c}\hfill Pr\left[Bad9\right]=\sum _{i,j,k,l}Pr[Y_{i,j}=Y_{k,l},{\lambda }_{i,j}={\lambda }_{k,l}]=\sum _{i,j,k}Pr[N^i=N^k,M_j^i\oplus C_j^i=M_j^k\oplus C_j^k]\le \sigma {\mu }^2/2^n.\end{array}$$

For Bad10, the probability that $S^i=S^j$ and $V^i=V^j$ occur for any $i,j$ is $ϵ$. Then, the probability that Bad10 occurs is

$$\begin{array}{cc}\hfill Pr\left[Bad10\right]& =\sum _{i,j}Pr[S^i=S^j,V^i=V^j]\hfill \\ & =\sum _{i,j}Pr[H_L(N^i,A^i,C^i)=H_L(N^j,A^j,C^j),H_L(N^i,A^i,M^i)=H_L(N^j,A^j,M^j)]\hfill \\ & \le q^2{ϵ}^2/2.\hfill \end{array}$$

For Bad11, one has

$$\begin{array}{cc}\hfill Pr\left[Bad11\right]& =\sum _{i,j}Pr[S^i=S^j,T^i=T^j]\hfill \\ & =\sum _{i,j}Pr[H_L(N^i,A^i,C^i)=H_L(N^j,A^j,C^j),T^i=T^j]\hfill \\ & \le q^2ϵ/2^{n+1}.\hfill \end{array}$$

For Bad12, one has

$$\begin{array}{cc}\hfill Pr\left[Bad12\right]& =\sum _{i,j}Pr[V^i=V^j,T^i=T^j]\hfill \\ & =\sum _{i,j}Pr[H_L(N^i,A^i,M^i)=H_L(N^j,A^j,M^j),T^i=T^j]\hfill \\ & \le q^2ϵ/2^{n+1}.\hfill \end{array}$$

For Bad13, the probability that $S^i=V^j$ and $V^i=S^j$ occur for any $i,j$ is $ϵ$. Then, the probability that Bad13 occurs is

$$\begin{array}{cc}\hfill Pr\left[Bad13\right]& =\sum _{i,j}Pr[S^i=V^j,V^i=S^j]\hfill \\ & =\sum _{i,j}Pr[H_L(N^i,A^i,C^i)=H_L(N^j,A^j,M^j),H_L(N^i,A^i,M^i)=H_L(N^j,A^j,C^j)]\hfill \\ & \le q^2{ϵ}^2/2.\hfill \end{array}$$

For Bad14, one has

$$\begin{array}{cc}\hfill Pr\left[Bad14\right]& =\sum _{i,j}Pr[S^i=V^j,T^i=T^j]\hfill \\ & =\sum _{i,j}Pr[H_L(N^i,A^i,C^i)=H_L(N^j,A^j,M^j),T^i=T^j]\hfill \\ & \le q^2ϵ/2^{n+1}.\hfill \end{array}$$

For Bad15, one has

$$\begin{array}{cc}\hfill Pr\left[Bad15\right]& =\sum _{i,j}Pr[V^i=S^j,T^i=T^j]\hfill \\ & =\sum _{i,j}Pr[H_L(N^i,A^i,M^i)=H_L(N^j,A^j,C^j),T^i=T^j]\hfill \\ & \le q^2ϵ/2^{n+1}.\hfill \end{array}$$

To sum up, the probability of bad transcripts is

$$\begin{array}{cc}\hfill Pr[Y_{id}\in {\Gamma }_{bad}]& =\bigcup _{1\le i\le 15}Pr\left[Badi\right]\le \sum _{1\le i\le 15}Pr\left[Badi\right]\hfill \\ & \le 2q^{4/3}ϵ+\frac{{\sigma }^{4/3}}{2^{n+1}}+\frac{q^{4/3}}{2^{n+1}}+\frac{2\sigma {\mu }^2}{2^n}+\frac{{\sigma }^2}{2^{2n}}+q^2{ϵ}^2+\frac{2q^2ϵ}{2^n}.\hfill \end{array}$$

(2)

In the good transcript $\tau$, we bound the ratio $\frac{Pr[X_{re}=\tau ]}{Pr[Y_{id}=\tau ]}$ between the real scheme GCM-RIV2[$\pi ,{\pi }_1,{\pi }_2$] and its ideal version.

First, we consider $Pr[X_{re}=\tau ]$ for a good transcript $\tau$ in the real scheme GCM-RIV2[$\pi ,{\pi }_1,{\pi }_2$].

For the SCTR mirror system, as $|V^i+k=V^j+l| \le {\sigma }^{2/3}$, the number of edges in components with a size of more than 2 is ${\sigma }_c\le 4{\sigma }^{2/3}$. Therefore, according to Theorem 5, the number of solutions of $G_{SCTR}^{=}$ is at least

$$\begin{array}{c}\hfill \frac{{\left(2^n\right)}_{|V_1^{=}|}{\left(2^n\right)}_{|V_2^{=}|}}{2^{n\sigma }}\left(1-{\delta }_1\right),\end{array}$$

where ${\delta }_1=\frac{9{\sigma }_c^2}{4·2^n}+\frac{9{\sigma }_c^2\sigma +6{\sigma }_c{\sigma }^2+4{\sigma }^2}{4·2^{2n}}+\frac{8{\sigma }^4}{3·2^{3n}}\le \frac{36{\sigma }^{4/3}}{2^n}+\frac{36{\sigma }^{7/3}+6{\sigma }^{8/3}+{\sigma }^2}{2^{2n}}+\frac{8{\sigma }^4}{3·2^{3n}}\le \frac{81{\sigma }^{4/3}+\sigma }{2^n}$.

Similarly, for the T mirror system, as $|S^i=S^j| \le q^{2/3}$ and $|V^i=V^j| \le q^{2/3}$, the number of edges in components with a size of more than 2 is $q_c\le 4q^{2/3}$. Therefore, according to Theorem 4, the number of solutions of $G_T^{=}$ is at least

$$\begin{array}{c}\hfill \frac{{\left(2^n\right)}_{|V_T^{=}|}}{2^{nq}}\left(1-{\delta }_2\right),\end{array}$$

where ${\delta }_2=\frac{9q_c^2}{4·2^n}+\frac{9q_c^{2}q+24q_c{q}^2+6q_{c}q+40q^2}{2^{2n}}+\frac{16q^4}{2^{3n}}\le \frac{36q^{4/3}}{2^n}+\frac{144q^{7/3}+96q^{8/3}+24q^{5/3}+40q^2}{2^{2n}}+\frac{16q^4}{2^{3n}}\le \frac{292q^{4/3}+64q}{2^n}$.

Therefore, for a good graph, it must satisfy both $G_{SCTR}^{=}$ and $G_T^{=}$. It follows that the number of solutions of a good graph G is at least

$$\begin{array}{c}\hfill \frac{{\left(2^n\right)}_{|V_1^{=}|}{\left(2^n\right)}_{|V_2^{=}|}}{2^{n\sigma }}\frac{{\left(2^n\right)}_{|V_T^{=}|}}{2^{nq}}\left(1-{\delta }_1\right)\left(1-{\delta }_2\right).\end{array}$$

In the real scheme GCM-RIV2[$\pi ,{\pi }_1,{\pi }_2$], one has

$$\begin{array}{cc}\hfill Pr[X_{re}=\tau ]& =Pr[\pi ,{\pi }_1,{\pi }_2\in Perm\left(n\right):GCM-RIV2[\pi ,{\pi }_1,{\pi }_2]⊢\tau ]\hfill \\ & =\frac{|\pi ,{\pi }_1,{\pi }_2\in Perm\left(n\right):GCM-RIV2[\pi ,{\pi }_1,{\pi }_2]⊢\tau |}{{\left|Perm\left(n\right)\right|}^3}\hfill \\ & \ge \frac{\frac{{\left(2^n\right)}_{|V_1^{=}|}{\left(2^n\right)}_{|V_2^{=}|}}{2^{n\sigma }}\frac{{\left(2^n\right)}_{|V_T^{=}|}}{2^{nq}}\left(1-{\delta }_1\right)\left(1-{\delta }_2\right)(2^n-|V_1^{=}\left|\right)!(2^n-|V_2^{=}\left|\right)!(2^n-|V_T^{=}\left|\right)!}{{(2^n!)}^3}\hfill \\ & =\frac{1}{2^{n\sigma }}\frac{1}{2^{nq}}\left(1-{\delta }_1\right)\left(1-{\delta }_2\right).\hfill \end{array}$$

In the ideal version $, one has

$$\begin{array}{c}\hfill Pr[Y_{id}=\tau ]=Pr[\$\in Func(\left|N\right|+\left|A\right|+\left|M\right|,(q+\sigma )n):\$⊢\tau ]=\frac{1}{2^{(q+\sigma )n}}.\end{array}$$

Therefore, the ratio between $Pr[X_{re}=\tau ]$ and $Pr[Y_{id}=\tau ]$ in the good transcript is

$$\begin{array}{c}\hfill \frac{Pr[X_{re}=\tau ]}{Pr[Y_{id}=\tau ]}\ge (1-{\delta }_1)(1-{\delta }_2)\ge 1-({\delta }_1+{\delta }_2)=1-\delta ,\end{array}$$

(3)

where $\delta ={\delta }_1+{\delta }_2\le \frac{81{\sigma }^{4/3}+\sigma +292q^{4/3}+64q}{2^n}$.

According to the H-coefficient technique and Equations (1)–(3), for a PRP adversary $\mathcal{B}$ against E with at most $2q+2\sigma$ queries, one has

$$\begin{array}{cc}\hfill Ad{v}_{GCM-RIV2}^{IND-CPA}\left({\mathcal{A}}_1\right)\le & Ad{v}_E^{PRP}\left(\mathcal{B}\right)+2q^{4/3}ϵ+\frac{{\sigma }^{4/3}}{2^{n+1}}+\frac{q^{4/3}}{2^{n+1}}+\frac{2\sigma {\mu }^2}{2^n}+\frac{{\sigma }^2}{2^{2n}}+q^2{ϵ}^2+\frac{2q^2ϵ}{2^n}\hfill \\ & +\frac{81{\sigma }^{4/3}+\sigma +292q^{4/3}+64q}{2^n}.\hfill \end{array}$$

Then, we upper-bound $Ad{v}_{GCM-RIV2}^{INT-CTXT}\left({\mathcal{A}}_2\right)$. The evaluation process is similar to that of $Ad{v}_{GCM-RIV2}^{IND-CPA}\left({\mathcal{A}}_1\right)$ except that it also includes that of the extended mirror system with equations and non-equations under forgery attempts. In the INT-CTXT security model, the adversary can access the encryption and decryption oracles. We assume that the adversary ${\mathcal{A}}_2$ makes q forgery attempts $(N^{\ast 1},A^{\ast 1},C^{\ast 1},T^{\ast 1}),\dots ,(N^{\ast q},A^{\ast q},C^{\ast q},T^{\ast q})$ to the decryption oracle after q queries $(N^1,A^1,M^1),\dots ,(N^q,A^q,M^q)$ to the encryption oracle and does not make invalid queries. We record all query–response pairs as a transcript $\tau =\{(N^1,A^1,M^1,C^1,T^1),\dots ,(N^q,A^q,M^q,C^q,T^q),(N^{\ast 1},A^{\ast 1},M^{\ast 1},C^{\ast 1},T^{\ast 1}),\dots ,(N^{\ast q},A^{\ast q},$$M^{\ast q},C^{\ast q},T^{\ast q}\left)\right\}$. Unlike the mirror system in the IND-CPA security model, here, we consider an extended mirror system with equations and non-equations. The system with equations generated by the encryption oracle is the same as that of IND-CPA, so they are not listed. Let us simply list the system with equations and non-equations generated by the decryption oracle (forgery attempts) below.

$$\begin{array}{c}\hfill S^{\ast }:\left\{\begin{array}{cc}& S^{\ast 1}=\pi \left(H_L(N^{\ast 1},A^{\ast 1},C^{\ast 1})\right)\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & S^{\ast q}=\pi \left(H_L(N^{\ast q},A^{\ast q},C^{\ast q})\right)\hfill \end{array}\right.\end{array}$$

$$\begin{array}{c}\hfill V^{\ast }:\left\{\begin{array}{cc}& V^{\ast 1}=\pi \left(H_L(N^{\ast 1},A^{\ast 1},M^{\ast 1})\right)\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & V^{\ast q}=\pi \left(H_L(N^{\ast q},A^{\ast q},M^{\ast q})\right)\hfill \end{array}\right.\end{array}$$

$$\begin{array}{c}\hfill SCT{R}^{\ast }:\left\{\begin{array}{cc}& {\pi }_1(V^{\ast 1}+1)\oplus {\pi }_2(N^{\ast 1}\left|\right|{\left[1\right]}_{\frac{n}{4}})\ne M_1^{\ast 1}\oplus C_1^{\ast 1}\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & {\pi }_1(V^{\ast 1}+m^{\ast 1})\oplus {\pi }_2(N^{\ast 1}\left|\right|{\left[m^{\ast 1}\right]}_{\frac{n}{4}})\ne M_{m^{\ast 1}}^{\ast 1}\oplus C_{m^{\ast 1}}^{\ast 1}\hfill \\ & {\pi }_1(V^{\ast 2}+1)\oplus {\pi }_2(N^{\ast 2}\left|\right|{\left[1\right]}_{\frac{n}{4}})\ne M_1^{\ast 2}\oplus C_1^{\ast 2}\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & {\pi }_1(V^{\ast 2}+m^{\ast 2})\oplus {\pi }_2(N^{\ast 2}\left|\right|{\left[m^{\ast 2}\right]}_{\frac{n}{4}})\ne M_{m^{\ast 2}}^{\ast 2}\oplus C_{m^{\ast 2}}^{\ast 2}\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & {\pi }_1(V^{\ast q}+1)\oplus {\pi }_2(N^{\ast q}\left|\right|{\left[1\right]}_{\frac{n}{4}})\ne M_1^{\ast q}\oplus C_1^{\ast q}\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & {\pi }_1(V^{\ast q}+m^{\ast q})\oplus {\pi }_2(N^{\ast q}\left|\right|{\left[m^{\ast q}\right]}_{\frac{n}{4}})\ne M_{m^{\ast q}}^{\ast q}\oplus C_{m^{\ast q}}^{\ast q}\hfill \end{array}\right.\end{array}$$

$$\begin{array}{c}\hfill T^{\ast }:\left\{\begin{array}{cc}& S^{\ast 1}\oplus V^{\ast 1}\ne T^{\ast 1}\hfill \\ & S^{\ast 2}\oplus V^{\ast 2}\ne T^{\ast 2}\hfill \\ & \dots \dots \dots \dots \dots \hfill \\ & S^{\ast q}\oplus V^{\ast q}\ne T^{\ast q}\hfill \end{array}\right.\end{array}$$

According to the H-coefficient lemma (Lemma 3), here, we first define a bad transcript and then state the probability of a bad transcript in the ideal world and the ratio between the probability of good transcripts in the real world and the probability of good transcripts in the ideal world.

After observing, we found that the system above corresponds to two distinct extended mirror systems: the SCTR with SCTR${}^{\ast }$ system and the T with T${}^{\ast }$ system. Let $X_{i,j}={\pi }_1(V^i+j)$, $Y_{i,j}={\pi }_2(N^i{\left|\right|\left[j\right]}_{\frac{n}{4}})$, and ${\lambda }_{i,j}=M_j^i\oplus C_j^i$, where $i\in \left[q\right],j\in \left[m^i\right]$ and $\sigma ={\sum }_{i\in \left[q\right]}{m}^i$. Let $V_1^{=}$ be a set of vertices ${\left\{X_{i,j}\right\}}_{i\in \left[q\right],j\in \left[m^i\right]}$, $V_2^{=}$ be a set of vertices ${\left\{Y_{i,j}\right\}}_{i\in \left[q\right],j\in \left[m^i\right]}$, $E^{=}$ be a set of edges ${\left\{(X_{i,j},Y_{i,j})\right\}}_{i\in \left[q\right],j\in \left[m^i\right]}$, and $W^{=}:E^{=}\to {\left\{{\lambda }_{i,j}\right\}}_{i\in \left[q\right],j\in \left[m^i\right]}$ be a weighted function. Then, the SCTR mirror system corresponds to a bipartite graph $G_{SCTR}^{=}=<V_1^{=},V_2^{=},E^{=},W^{=}>$. Let $X_{i,j}^{\ast }={\pi }_1(V^{\ast i}+j)$, $Y_{i,j}^{\ast }={\pi }_2(N^{\ast i}{\left|\right|\left[j\right]}_{\frac{n}{4}})$, and ${\lambda }_{i,j}^{\ast }=M_j\ast i\oplus C_j\ast i$, where $i\in \left[q\right],j\in \left[m^{\ast i}\right]$ and $\sigma ={\sum }_{i\in \left[q\right]}{m}^{\ast i}$. Let $V_1^{\ne }$ be a set of vertices ${\left\{X_{i,j}^{\ast }\right\}}_{i\in \left[q\right],j\in \left[m^{\ast i}\right]}$, $V_2^{\ne }$ be a set of vertices ${\left\{Y_{i,j}^{\ast }\right\}}_{i\in \left[q\right],j\in \left[m^{\ast i}\right]}$, $E^{\ne }$ be a set of edges ${\left\{(X_{i,j}^{\ast },Y_{i,j}^{\ast })\right\}}_{i\in \left[q\right],j\in \left[m^{\ast i}\right]}$, and $W^{\ne }:E^{\ne }\to {\left\{{\lambda }_{i,j}^{\ast }\right\}}_{i\in \left[q\right],j\in \left[m^{\ast i}\right]}$ be a weighted function. Then, the SCTR with the SCTR${}^{\ast }$ system corresponds to a bipartite graph $G_{SCTR}=<V_1,V_2,E,W>$, where $V_1=V_1^{=}\cup V_1^{\ne }$, $V_2=V_2^{=}\cup V_2^{\ne }$, $E=E^{=}\cup E^{\ne }$, and $W=W^{=}\cup W^{\ne }$.

Similarly, the T mirror system corresponds to a graph $G_T^{=}=<V_T^{=},E_T^{=},W_T^{=}>$, where $V_T^{=}={\{S^i,V^i\}}_{i\in \left[q\right]},E_T^{=}={\left\{(S^i,V^i)\right\}}_{i\in \left[q\right]}$ and $W_T^{=}:E_T^{=}\to {\left\{T^i\right\}}_{i\in \left[q\right]}$. Then, the T with T${}^{\ast }$ system corresponds to a graph $G_T=<V_T,E_T,W_T>$, where $V_T=V_T^{=}\cup V_T^{\ne }$, $E_T=E_T^{=}\cup E_T^{\ne }$, and $W_T=W_T^{=}\cup W_T^{\ne }$.

In order to be able to use the extended mirror theory and H-coefficient technique, we need to define bad transcripts.

Definition 10. 

A transcript τ is called bad if one of the following events holds:

1. 

Bad1–Bad15 is the same as that of Definition 9.

2. 

Bad16: $V^{\ast i}+j=V^k+l$, $N^{\ast i}{\left|\right|\left[j\right]}_{\frac{n}{4}}=N^k\left|\right|{\left[l\right]}_{\frac{n}{4}}$, and $M_j^{\ast i}\oplus C_j^{\ast i}=M_l^{\ast k}\oplus C_l^{\ast k}$.

3. 

Bad17: $S^{\ast i}=S^j$, $V^{\ast i}=V^j$, and $T^{\ast i}=T^j$.

4. 

Bad18: $S^{\ast i}=V^j$, $V^{\ast i}=S^j$, and $T^{\ast i}=T^j$.

Let ${\Gamma }_{bad}$ be a set of all bad transcripts, $\Gamma$ be a set of all transcripts, and $\Gamma ={\Gamma }_{bad}\cup {\Gamma }_{good}$. Let $X_{re}$ be the random variable interacting with the real scheme GCM-RIV2[$\pi ,{\pi }_1,{\pi }_2$] and $Y_{id}$ be the random variable interacting with the ideal version. We first upper-bound the probability $Pr[Y_{id}\in {\Gamma }_{bad}]$.

For Bad1–Bad15, Equation (2) has given

$$\begin{array}{c}\hfill Pr[Bad1-Bad15]\le 2q^{4/3}ϵ+\frac{{\sigma }^{4/3}}{2^{n+1}}+\frac{q^{4/3}}{2^{n+1}}+\frac{2\sigma {\mu }^2}{2^n}+\frac{{\sigma }^2}{2^{2n}}+q^2{ϵ}^2+\frac{2q^2ϵ}{2^n}.\end{array}$$

For Bad16, the probability that $V^{\ast i}+j=V^k+l$ or $M_j^{\ast i}\oplus C_j^{\ast i}=M_l^{\ast k}\oplus C_l^{\ast k}$ occurs for any $i,j,k,l$ is $2^{-n}$ and the number of pairs $(i,k)$ such that $N^{\ast i}=N^k$ is at most ${\mu }^2$. Then, the probability of Bad16 is

$$\begin{array}{cc}\hfill Pr\left[Bad16\right]& =\sum _{i,j,k,l}Pr[V^{\ast i}+j=V^k+l,N^{\ast i}{\left|\right|\left[j\right]}_{\frac{n}{4}}=N^k{\left|\right|\left[l\right]}_{\frac{n}{4}},M_j^{\ast i}\oplus C_j^{\ast i}=M_l^{\ast k}\oplus C_l^{\ast k}]\hfill \\ & =\sum _{i,j,k}Pr[V^{\ast i}+j=V^k+j,N^{\ast i}=N^k,M_j^{\ast i}\oplus C_j^{\ast i}=M_j^{\ast k}\oplus C_j^{\ast k}]\hfill \\ & \le \frac{{\sigma }^2{\mu }^2}{2^{2n}}.\hfill \end{array}$$

For Bad17, the probability that $S^{\ast i}=S^j$ or $V^{\ast i}=V^j$ occurs for any $i,j$ is at most $ϵ$ and the probability that $T^{\ast i}=T^j$ occurs for any $i,j$ is $2^{-n}$. Then, the probability of Bad17 is

$$\begin{array}{c}\hfill Pr\left[Bad17\right]=\sum _{i,j}Pr[S^{\ast i}=S^j,V^{\ast i}=V^j,T^{\ast i}=T^j]\le \frac{q^2{ϵ}^2}{2^n}.\end{array}$$

For Bad18, the probability that $S^{\ast i}=V^j$ or $V^{\ast i}=S^j$ occurs for any $i,j$ is at most $ϵ$ and the probability that $T^{\ast i}=T^j$ occurs for any $i,j$ is $2^{-n}$. Then, the probability of Bad18 is

$$\begin{array}{c}\hfill Pr\left[Bad18\right]=\sum _{i,j}Pr[S^{\ast i}=V^j,V^{\ast i}=S^j,T^{\ast i}=T^j]\le \frac{q^2{ϵ}^2}{2^n}.\end{array}$$

To sum up, the probability of bad transcripts in the ideal world is

$$\begin{array}{cc}\hfill Pr[Y_{id}\in {\Gamma }_{bad}]& =\bigcup _{i\in \left[18\right]}Pr\left[Badi\right]\le \sum _{i\in \left[18\right]}Pr\left[Badi\right]\hfill \\ & \le 2q^{4/3}ϵ+\frac{{\sigma }^{4/3}}{2^{n+1}}+\frac{q^{4/3}}{2^{n+1}}+\frac{2\sigma {\mu }^2}{2^n}+\frac{{\sigma }^2}{2^{2n}}+q^2{ϵ}^2+\frac{2q^2ϵ}{2^n}+\frac{{\sigma }^2{\mu }^2}{2^{2n}}+\frac{2q^2{ϵ}^2}{2^n}.\hfill \end{array}$$

(4)

In the good transcript $\tau$, we bound the ratio $\frac{Pr[X_{re}=\tau ]}{Pr[Y_{id}=\tau ]}$ between the real scheme GCM-RIV2[$\pi ,{\pi }_1,{\pi }_2$] and its ideal version.

First, we consider $Pr[X_{re}=\tau ]$ for a good transcript $\tau$ in the real scheme GCM-RIV2[$\pi ,{\pi }_1,{\pi }_2$].

For the SCTR with the SCTR${}^{\ast }$ extended mirror system, as $|V^i+k=V^j+l| \le {\sigma }^{2/3}$, the number of edges in components with a size of more than 2 is ${\sigma }_c\le 4{\sigma }^{2/3}$. Therefore, according to Theorem 5, the number of solutions of $G_{SCTR}$ is at least

$$\begin{array}{c}\hfill \frac{{\left(2^n\right)}_{|V_1|}{\left(2^n\right)}_{|V_2|}}{2^{n\sigma }}\left(1-{\delta }_1\right),\end{array}$$

where ${\delta }_1=\frac{9{\sigma }_c^2}{4·2^n}+\frac{9{\sigma }_c^2\sigma +6{\sigma }_c{\sigma }^2+4{\sigma }^2}{4·2^{2n}}+\frac{8{\sigma }^4}{3·2^{3n}}+\frac{5\sigma }{2^n}\le \frac{36{\sigma }^{4/3}}{2^n}+\frac{36{\sigma }^{7/3}+6{\sigma }^{8/3}+{\sigma }^2}{2^{2n}}+\frac{8{\sigma }^4}{3·2^{3n}}+\frac{5\sigma }{2^n}\le \frac{81{\sigma }^{4/3}+6\sigma }{2^n}$.

Similarly, for the T with the T${}^{\ast }$ extended mirror system, as $|S^i=S^j| \le \sqrt{q}$ and $|V^i=V^j| \le q^{2/3}$, the number of edges in components with a size of more than 2 is $q_c\le 4q^{2/3}$. Therefore, according to Theorem 4, the number of solutions of $G_T$ is at least

$$\begin{array}{c}\hfill \frac{{\left(2^n\right)}_{|V_T|}}{2^{nq}}\left(1-{\delta }_2\right),\end{array}$$

where ${\delta }_2=\frac{9q_c^2}{4·2^n}+\frac{9q_c^{2}q+24q_c{q}^2+6q_{c}q+40q^2}{2^{2n}}+\frac{16q^4}{2^{3n}}+\frac{7q}{2^n}\le \frac{36q^{4/3}}{2^n}+\frac{144q^{7/3}+96q^{8/3}+24q^{5/3}+40q^2}{2^{2n}}+\frac{16q^4}{2^{3n}}+\frac{7q}{2^n}\le \frac{292q^{4/3}+71q}{2^n}$.

Therefore, for a good graph, it must satisfy both $G_{SCTR}$ and $G_T$. It follows that the number of solutions of a good graph is at least

$$\begin{array}{c}\hfill \frac{{\left(2^n\right)}_{|V_1|}{\left(2^n\right)}_{|V_2|}}{2^{n\sigma }}\frac{{\left(2^n\right)}_{|V_T|}}{2^{nq}}\left(1-{\delta }_1\right)\left(1-{\delta }_2\right).\end{array}$$

In the real scheme GCM-RIV2[$\pi ,{\pi }_1,{\pi }_2$], one has

$$\begin{array}{cc}\hfill Pr[X_{re}=\tau ]& =Pr[\pi ,{\pi }_1,{\pi }_2\in Perm\left(n\right):GCM-RIV2[\pi ,{\pi }_1,{\pi }_2]⊢\tau ]\hfill \\ & =\frac{|\pi ,{\pi }_1,{\pi }_2\in Perm\left(n\right):GCM-RIV2[\pi ,{\pi }_1,{\pi }_2]⊢\tau |}{{\left|Perm\left(n\right)\right|}^3}\hfill \\ & \ge \frac{\frac{{\left(2^n\right)}_{|V_1|}{\left(2^n\right)}_{|V_2|}}{2^{n\sigma }}\frac{{\left(2^n\right)}_{|V_T|}}{2^{nq}}\left(1-{\delta }_1\right)\left(1-{\delta }_2\right)(2^n-|V_1\left|\right)!(2^n-|V_2\left|\right)!(2^n-|V_T\left|\right)!}{{(2^n!)}^3}\hfill \\ & =\frac{1}{2^{n\sigma }}\frac{1}{2^{nq}}\left(1-{\delta }_1\right)\left(1-{\delta }_2\right).\hfill \end{array}$$

In the ideal version $, one has

$$\begin{array}{c}\hfill Pr[Y_{id}=\tau ]=Pr[\$\in Func(\left|N\right|+\left|A\right|+\left|M\right|,(q+\sigma )n):\$⊢\tau ]=\frac{1}{2^{(q+\sigma )n}}.\end{array}$$

Therefore, the ratio between $Pr[X_{re}=\tau ]$ and $Pr[Y_{id}=\tau ]$ in the good transcript is

$$\begin{array}{c}\hfill \frac{Pr[X_{re}=\tau ]}{Pr[Y_{id}=\tau ]}\ge (1-{\delta }_1)(1-{\delta }_2)\ge 1-({\delta }_1+{\delta }_2)=1-\delta ,\end{array}$$

(5)

where $\delta ={\delta }_1+{\delta }_2\le \frac{81{\sigma }^{4/3}+6\sigma +292q^{4/3}+71q}{2^n}$.

According to the H-coefficient technique and Equations (1), (4) and (5), for a PRP adversary $\mathcal{B}$ against E with at most $4q+4\sigma$ queries, one has

$$\begin{array}{cc}\hfill Ad{v}_{GCM-RIV2}^{INT-CTXT}\left({\mathcal{A}}_1\right)\le & Ad{v}_E^{PRP}\left(\mathcal{B}\right)+2q^{4/3}ϵ+\frac{{\sigma }^{4/3}}{2^{n+1}}+\frac{q^{4/3}}{2^{n+1}}+\frac{2\sigma {\mu }^2}{2^n}+\frac{{\sigma }^2}{2^{2n}}+q^2{ϵ}^2+\frac{2q^2ϵ}{2^n}\hfill \\ & +\frac{{\sigma }^2{\mu }^2}{2^{2n}}+\frac{2q^2{ϵ}^2}{2^n}+\frac{81{\sigma }^{4/3}+6\sigma +292q^{4/3}+71q}{2^n}.\hfill \end{array}$$

Finally, we upper-bound $Ad{v}_{GCM-RIV1}^{ERR-CCA}\left({\mathcal{A}}_3\right)$. In the ERR-CCA security model, the adversary ${\mathcal{A}}_3$ has access to the encryption, decryption, and leakage oracles, with at most q queries of at most $\sigma$ blocks each. The security analysis in the encryption or decryption oracle is similar to that under the above security models, and the security analysis in the leakage oracle is similar to that of the decryption oracle with forgery attempts under the INT-CTXT. Besides this, we also need to consider an extended mirror system with equations and non-equations for distinct dummy keys in the leakage oracle. Therefore, for a PRP adversary $\mathcal{B}$ against E with at most $8q+8\sigma$ queries, one has

$$\begin{array}{cc}\hfill Ad{v}_{GCM-RIV2}^{ERR-CCA}\left({\mathcal{A}}_3\right)\le & Ad{v}_E^{PRP}\left(\mathcal{B}\right)+8q^{4/3}ϵ+\frac{4{\sigma }^{4/3}}{2^{n+1}}+\frac{4q^{4/3}}{2^{n+1}}+\frac{8\sigma {\mu }^2}{2^n}+\frac{4{\sigma }^2}{2^{2n}}+4q^2{ϵ}^2+\frac{8q^2ϵ}{2^n}\hfill \\ & +\frac{3{\sigma }^2{\mu }^2}{2^{2n}}+\frac{6q^2{ϵ}^2}{2^n}+\frac{324{\sigma }^{4/3}+19\sigma +1168q^{4/3}+277q}{2^n}.\hfill \end{array}$$

To summarize, according to Lemma 2, the SAE security of GCM-RIV2 is upper-bounded by

$$\begin{array}{cc}\hfill Ad{v}_{GCM-RIV2}^{SAE}\left(\mathcal{A}\right)\le & Ad{v}_E^{PRP}\left(\mathcal{B}\right)+12q^{4/3}ϵ+\frac{6{\sigma }^{4/3}}{2^{n+1}}+\frac{6q^{4/3}}{2^{n+1}}+\frac{12\sigma {\mu }^2}{2^n}+\frac{6{\sigma }^2}{2^{2n}}+6q^2{ϵ}^2+\frac{12q^2ϵ}{2^n}\hfill \\ & +\frac{4{\sigma }^2{\mu }^2}{2^{2n}}+\frac{8q^2{ϵ}^2}{2^n}+\frac{486{\sigma }^{4/3}+26\sigma +1752q^{4/3}+412q}{2^n}.\hfill \end{array}$$

The security proof of Theorem 2 is finished. □

Theorem 2 shows that GCM-RIV2 enjoys beyond-birthday-bound SAE security with $3n/4$-bit and its security bound decreases as parameter $\mu$ increases if the underlying block cipher is a secure PRP and $ϵ=2^{-n}$.

6. Discussion and Conclusions

GCM-RIV1 and GCM-RIV2 are robust authenticated encryption modes with an inverse-free nature. Both of them are based on the RIV framework, which extends the SIV construction by adopting an extra hash function with block cipher encryption and support nonce misuse. GCM-RIV1 is rate 1 (a plaintext block per each encryption), while GCM-RIV2 is rate 1/2 (a plaintext block per two encryptions). However, fortunately, the nonce-based encryption part of GCM-RIV2 can be precomputed, which means that the running speed of GCM-RIV2 is close to that of GCM-RIV1. Besides this, GCM-RIV1 and GCM-RIV2 are parallelizable. Therefore, overall, the performance of GCM-RIV1 and GCM-RIV2 is only slightly lower than that of GCM-SIV1.

From the perspective of the security, GCM-RIV1 and GCM-RIV2 support stronger security than GCM-SIV1. GCM-RIV1 guarantees birthday-bound SAE security of $n/2$-bit and supports robustness against the leakage of invalid plaintext. GCM-RIV2 enjoys beyond-birthday-bound SAE security with $3n/4$-bit graceful degradation and supports robustness against faulty nonces and the leakage of invalid plaintext. Table 1 shows the comparison between our schemes and previous related schemes.

Currently, GCM, GCM-SIV, and its related variants have been widely used in network security protocols. With the complexity, isomerization, and diversification of the network environment, GCM-RIV1 and GCM-RIV2, as robust AE modes, will be highly valued. GCM-RIV1 and GCM-RIV2 provide subtle AE security, nonce-faulty resistance, and birthday-bound security or even degradation-friendly beyond-birthday-bound security, meeting the requirements of the complex, isomerized, and diversified network environments for the robustness, elasticity, and reliable security of AE schemes. However, GCM-RIV1 and GCM-RIV2 need to be further optimized in terms of efficiency and security. GCM-RIV1 only ensures birthday-bound security, while GCM-RIV2 is rate 1/2. One potential future task is to further design more efficient and robust cryptographic schemes adapted to specific environments.