Next Article in Journal
Using a Node–Child Matrix to Address the Quickest Path Problem in Multistate Flow Networks under Transmission Cost Constraints
Next Article in Special Issue
Advances in Physical Unclonable Functions Based on New Technologies: A Comprehensive Review
Previous Article in Journal
A New Solution to the Fractional Black–Scholes Equation Using the Daftardar-Gejji Method
Previous Article in Special Issue
OO-MA-KP-ABE-CRF: Online/Offline Multi-Authority Key-Policy Attribute-Based Encryption with Cryptographic Reverse Firewall for Physical Ability Data
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

GCM Variants with Robust Initialization Vectors

School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
Mathematics 2023, 11(24), 4888; https://doi.org/10.3390/math11244888
Submission received: 15 November 2023 / Revised: 27 November 2023 / Accepted: 4 December 2023 / Published: 6 December 2023
(This article belongs to the Special Issue Trends in Cryptography and Information Security)

Abstract

:
The complexity and isomerization of communication networks have put forth new requirements for cryptographic schemes to ensure the operation of network security protocols. Robust cryptographic schemes have been gradually favored. The robust initialization vector (RIV) instead of the synthetic initialization vector (SIV) was first introduced to support strong security and robust authenticated encryption. This paper first introduces RIV to GCM-SIV1, proposes a robust variant, GCM-RIV1, and proves that it ensures birthday-bound subtle AE (SAE) security and nonce-misuse resistance. Then, to support beyond-birthday-bound (BBB) security with graceful degradation, we introduce another, stronger security variant, GCM-RIV2, and prove that it allows gracefully degrading BBB SAE security in the faulty nonce setting. Finally, the performance of GCM-RIV1 and GCM-RIV2 is discussed and compared.

1. Introduction

With the development of cloud-end convergence networks, the industrial Internet, and the Internet of Things, the security of critical infrastructure and protocols on the network has become more and more important. As a high-speed lightweight authenticated encryption (AE) scheme or protocol, Galois/Counter Mode (GCM) plays an important role in network security communication. GCM is a commonly used AE mode based on symmetric-key cryptography and included in the NIST and IETF standards, and it has been widely used in cloud computing, the Internet of Things, network communication protocols, and other fields [1,2,3]. For example, the well-known transport layer security protocol TLS1.2 uses AES-GCM [3]. However, with the complexity, diversity, and heterogeneity of communication networks, more robust and resilient cryptographic schemes have attracted people’s attention.
Most AE schemes including GCM are nonce-based AE (nAE) schemes and they have proven security in the nonce-respecting setting (the nonce used in the encryption algorithm is distinct). In real life, however, the nonce is often reused. If the nonce is reused, the security of nonce-respecting AE (NRAE) schemes represented by GCM will be broken. To settle this problem, Rogaway and Shrimpton introduced the nonce-misuse-resistant AE (MRAE) notion and proposed the first MRAE construction, called the synthetic initialization vector (SIV) [4]. SIV is roughly as efficient as the general two-pass AE modes (such as CCM), but more resilient to nonce misuse [4]. A large number of MRAE designs followed, such as HBS [5], BTM [6], MR-OMD [7], GCM-SIV [8], AES-GCM-SIV [9], GCM-SIV1 [10], GCM-SIV2 [10], CCM-SIV [11], SAEF [12], and GIFT-COFB [13]. Later, Dutta et al. refined nonce misuse and introduced a faulty nonce notion to specify the degree of repeated nonce tolerance [14]. The faulty nonce notion covers nonce respecting and nonce misuse. For a μ -faulty nonce, if μ = 0 , it is expected to degenerate to nonce-respecting; if μ 1 , it is nonce-misuse. At ASIACRYPT 2021, Choi et al. introduced the faulty nonce to AE, presented a parallelizable nonce-based AE mode SCM, and proved its security with graceful degradation in the faulty nonce security model [15].
In addition to nonce misuse or a faulty nonce, Andreeva et al. proposed a new security model, releasing unverified plaintext (RUP), on the traditional nAE security model, to adapt to a new or side-channel environment in which plaintext information is released before verification [16]. There exist many RUP-secure AE schemes, such as COLM [17], OCB-IC [18], ChaCha20-Poly1305 [19], LOCUS [20], LOTUS [20], GCM-RUP [21], and SAEB [22].
Besides this, Hoang et al. built a robust AE (RAE) notion to adapt to the ciphertext expansion and then constructed a well-optimized AEZ mode [23]. Later, Badertscher et al. investigated RAE and gave formal descriptions for two additional features of RAE [24]. Shrimpton et al. introduced a protected IV (PIV) framework and gave encode-then-encipher over PIV AE with associated data schemes [25]. Barwell et al. introduced a subtle AE (SAE) security notion using an extra “leakage” algorithm on the basis of the traditional AE security model [26]. The SAE security covers RUP and RAE and is able to leak some information about the invalid plaintext. At FSE 2016, Abed et al. extended the SIV framework by adopting an additional pseudorandom function, introduced a robust initialization vector (RIV) framework for robust authenticated encryption, and proved that RIV supports SAE security [27]. RIV fully inherits the security guarantees of SIV, but, unlike SIV and other MRAE schemes, RIV is also provably secure under RUP and RAE. The robustness mentioned here is a gradient concept. RAE is the most robust version and the traditional AE is the most basic version. Aiming at various possible attacks or complex environments, robust AE schemes are designed to meet the corresponding needs to maintain the confidentiality and integrity of data.
Contributions. In order to adapt to the more complex network environment, the goal of this paper is to put forward robust variants on the basis of GCM and incorporate as many characteristics of robustness into our design scheme as possible. To enhance the robustness of GCM-SIV1, we propose its robust variant, called GCM-RIV1, by introducing RIV instead of SIV, and prove that GCM-RIV1 guarantees birthday-bound SAE security of n / 2 -bit and nonce-misuse resistance if the underlying block cipher uses secure pseudorandom permutation (PRP) and the hash function is XOR-universal, where n is the block size. Then, to support beyond-birthday-bound (BBB) security with graceful degradation and a nonce fault, we introduce another variant, GCM-RIV2, and prove that it not only enjoys approximately 3 n / 4 -bit BBB SAE security but also supports graceful security degradation. Besides this, GCM-RIV1 and GCM-RIV2 are inverse-free, which reduces the cost of block cipher decryption. Moreover, both of them are parallel and robust against the leakage of invalid plaintext. Finally, we present a comparison between our schemes and previous related schemes, which is shown in Table 1.
The rest of the article is arranged as follows. Section 2 presents some basic preliminaries and related security models. Section 3 shows the extended mirror theory. Section 4 and Section 5 show our designs, GCM-RIV1 and GCM-RIV2, and derive their security proof, respectively. Finally, we conclude this paper in Section 6.

2. Preliminaries

Some symbols used in the paper are described in Table 2.
Block Cipher. A block cipher is an important part of symmetric-key cryptography and has been widely used in real life, such as standardized block ciphers SM4 and AES. Its mathematical model can be expressed as E : K × { 0 , 1 } n { 0 , 1 } n . We describe its pseudorandom permutation (PRP) security model as follows.
Definition 1 
(PRP Advantage [27]). Let A be an adversary that has access to an encryption oracle E. Then, the PRP advantage of A against E is defined as
A d v E P R P ( A ) = P r [ K K : A E K = 1 ] P r [ π P e r m ( n ) : A π = 1 ] .
Keyed Function. Let F : K × { 0 , 1 } m { 0 , 1 } n be a keyed function. We describe its pseudorandom function (PRF) security model as follows.
Definition 2 
(PRF Advantage [27]). Let A be an adversary that has access to the function oracle F. Then, the PRF advantage of A against F is defined as
A d v F P R F ( A ) = P r [ K K : A F K = 1 ] P r [ $ F u n c ( m , n ) : A $ = 1 ] .
Nonce-Based Authenticated Encryption (nAE). An nAE with associated data scheme Π = ( E , D ) consists of an encryption algorithm E : K × N × H × M C × T and a decryption algorithm D : K × N × H × C × T M { } . The correctness means that ( C , T ) = E K ( N , A , M ) if and only if (iff) M = D K ( N , A , C , T ) . For nAE schemes, the conventional security model includes IND-CPA and INT-CTXT, which are described as follows.
Definition 3 
(IND-CPA Advantage [27]). Let A be an adversary that has access to an encryption oracle E . Then, the IND-CPA advantage of A against Π is defined as
A d v Π I N D C P A ( A ) = P r [ K K : A E K = 1 ] P r [ A $ = 1 ]
where $ is the ideal version of E K .
Definition 4 
(INT-CTXT Advantage [27]). Let A be an adversary that has access to an encryption oracle E and a decryption oracle D but does not make repeated queries. Then, the INT-CTXT advantage of A against Π is defined as
A d v Π I N T C T X T ( A ) = P r [ K K : A E K , D K f o r g e s ]
where forge means that D K returns anything other than for any query of A .
Later, Rogaway and Shrimpton introduced the all-in-one AE security notion [4], which is described as follows.
Definition 5 
(nAE Advantage [4,27]). Let A be an adversary that has access to an encryption oracle E and a decryption oracle D but does not make repeated queries. Then, the nAE advantage of A against Π is defined as
A d v Π n A E ( A ) = P r [ K K : A E K , D K = 1 ] P r [ A $ , = 1 ]
where $ is the ideal version of E K and is a reject function that always returns a reject symbol.
The all-in-one AE security covered IND-CPA and INT-CTXT; the decomposition of nAE security is described as follows.
Lemma 1 
(Decomposition of nAE Security [26,27]). Let A be an adversary that runs in time at most t and asks at most q queries of at most σ blocks to its respective oracles. Then, there exist computationally bounded IND-CPA and INT-CTXT adversaries B and C , respectively, on Π such that
A d v Π n A E ( A ) A d v Π I N D C P A ( B ) + A d v Π I N T C T X T ( C ) ,
where B and C each make at most q queries of at most σ blocks and run in time O ( t ) each.
Subtle Authenticated Encryption (SAE). An SAE scheme Π = ( E , D , Λ ) introduced by Barwell et al. [26] includes a new deterministic leakage algorithm Λ : K × N × H × C × T { } L in addition to the encryption and decryption algorithms E and D as above, where L is a non-empty leakage space.
Definition 6 
(ERR-CCA Advantage [26,27]). Let A be an adversary that has access to an encryption oracle E , a decryption oracle D , and a leakage oracle Λ but does not make repeated queries. Then, the ERR-CCA advantage of A against Π is defined as
A d v Π E R R C C A ( A ) = P r [ K K : A E K , D K , Λ K = 1 ] P r [ K , K K : A E K , D K , Λ K = 1 ] .
Definition 7 
(SAE Advantage [26,27]). Let A be an adversary that has access to an encryption oracle E , a decryption oracle D , and a leakage oracle Λ but does not make repeated queries. Then, the SAE advantage of A against Π is defined as
A d v Π S A E ( A ) = P r [ K K : A E K , D K , Λ K = 1 ] P r [ K K : A $ , , Λ K = 1 ]
where $ is the ideal version of E K and is a reject function that always returns a reject symbol.
Lemma 2 
(Decomposition of SAE Security [26,27]). Let A run in time at most t and ask at most q queries of at most σ blocks to its respective oracles. Then, there exist computationally bounded IND-CPA, INT-CTXT, and ERR-CCA adversaries B , C , and D , respectively, on Π such that
A d v Π S A E ( A ) A d v Π I N D C P A ( B ) + A d v Π I N T C T X T ( C ) + A d v Π E R R C C A ( D ) ,
where B , C , and D each make at most q queries of at most σ blocks and run in time O ( t ) each.
AXU Hash Functions [27]. Let H : K H × { 0 , 1 } { 0 , 1 } n be a hash function, where K H is a non-empty hash key space. Let L be a hash key randomly drawn from K H . If, for any distinct x , x { 0 , 1 } and y { 0 , 1 } n , it holds that
P r [ L K H : H L ( x ) H L ( x ) = y ] ϵ ,
then H is considered to be ϵ almost XOR universal ( ϵ -AXU). If ϵ = 2 n , H is called an XOR universal (XU) hash function.
H-Coefficient Technique [28,29]. The H-coefficient technique introduced by Patarin is a very useful tool in the security proof of symmetric-key cryptography. Assume that A is a deterministic adversary whose goal is to distinguish the real scheme X from the ideal scheme Y. A interacts with X and Y and records a series of query–response pairs as a transcript τ . Let Γ be the set of all possible transcripts. Let X r e be the random variable interacting with X and Y i d be the random variable interacting with Y. Then, the H-coefficient lemma is presented as follows.
Lemma 3 
(H-Coefficient Lemma [29]). Let Γ = Γ g o o d Γ b a d and ε , δ [ 0 , 1 ] . If P r [ Y i d Γ b a d ] ε and for all τ Γ g o o d , P r [ X r e = τ ] / P r [ Y i d = τ ] 1 δ , then
| P r [ A X = 1 ] P r [ A Y = 1 ] | ε + δ .
O extends  τ . Given a transcript τ = { ( x 1 , y 1 ) , , ( x q , y q ) } and an oracle O, if O ( x i ) = y i for all i [ q ] , we consider that O extends τ , which is symbolized as O τ .

3. Extended Mirror Theory

Let E = E = E be the following affine system of bi-variate equations and non-equations [30,31]:
E = X 1 Y 1 = λ 1 X 2 Y 2 = λ 2 X q Y q = λ q E X 1 Y 1 λ 1 X 2 Y 2 λ 2 X q v Y q v λ q v
The affine system E can be described as an undirected weighted graph G = < V , E , W > or bipartite graph G = < V 1 , V 2 , E , W > , where the vertex set V = V 1 V 2 , the edge set E, and the weighted function W are, respectively,
V 1 = { X 1 , , X q , X 1 , , X q v } , V 2 = { Y 1 , , Y q , Y 1 , , Y q v } , E = { e = ( X , Y ) } { e = ( X , Y ) } , W : E { 0 , 1 } n .
Let G = = < V = , E = , W > be the subgraph of G induced by E = . We assume that G = is divided into α components with more than two vertexes and β components with only two vertexes, i.e., G = = C 1 C α D 1 D β .
We say that graph G is good if it satisfies the following three conditions:
  • G = must be acylic, i.e., G = has no graph cycles.
  • W ( P ) 0 for all paths P in the graph G = , where W ( P ) = e P W ( e ) .
  • W ( C ) 0 for all cycles C with exactly one non-equation edge e (the remaining edges are the equation edges) in the graph G, where W ( C ) = e C W ( e ) .
For a bipartite graph G, we say that G is good if it satisfies the following three conditions:
  • G = must be acylic, i.e., G = has no graph cycles.
  • W ( P ) 0 for all paths P with an even length in the graph G = , where W ( P ) = e P W ( e ) .
  • W ( C ) 0 for all cycles C with an even length containing exactly one non-equation edge e (the remaining edges are the equation edges) in the graph G, where W ( C ) = e C W ( e ) .
Lemma 4 
(Graph Description of Extended Mirror Theory [30]). Let G = < V , E , W > be a good undirected weighted graph induced by E , and | V | = r , | E | = q + q v . Let q c be the total edges of components with more than two vertexes. Then, the number of solutions to E that are chosen from { 0 , 1 } n is at least
( 2 n ) r 2 n q ( 1 9 q c 2 4 · 2 n 9 q c 2 q + 24 q c q 2 + 6 q c q + 40 q 2 2 2 n 16 q 4 2 3 n 7 q v 2 n ) .
Lemma 5 
(Bipartite Graph Description of Extended Mirror Theory [30]). Let G = < V 1 , V 2 , E , W > be a good undirect weighted bipartite graph induced by E , and | V 1 | = q , | V 2 | = q , q + q = r , | E | = q + q v . Let q c be the total edges of components with more than two vertexes. Then, the number of solutions to E that are chosen from { 0 , 1 } n is at least
( 2 n ) q ( 2 n ) q 2 n q ( 1 9 q c 2 4 · 2 n 9 q c 2 q + 6 q c q 2 + 4 q 2 4 · 2 2 n 8 q 4 3 · 2 3 n 5 q v 2 n ) .

4. GCM-RIV1

We introduce RIV to GCM-SIV1, propose GCM-RIV1, and prove its sAE security. GCM-RIV1 inherits the full security guarantee from GCM-SIV1 and provides stronger security and robustness against the leakage of invalid plaintext.

4.1. Specific Description of GCM-RIV1

Let H : K H × N × H × { 0 , 1 } { 0 , 1 } n be an ϵ AXU hash function, and E : K E × { 0 , 1 } n { 0 , 1 } n be a block cipher, where K H is a hash key space, N is a nonce space, H is an associated data space, K E is an encryption key space, and n is the block size.
According to the idea of RIV, firstly, a nonce N N , an associated datum A H , and a plaintext M { 0 , 1 } can be processed by a function constructed by a hash function H with a hash key L K H and a block cipher E with an encryption key K K E to generate a robust initialization vector V { 0 , 1 } n . Then, the initialization vector V and the plaintext M are taken as inputs of the CounTeR (CTR) encryption algorithm with a block cipher E K and return the ciphertext C. Again, the nonce N, the associated datum A, and the ciphertext C are processed by the function constructed by a hash function H with a hash key L and a block cipher E with an encryption key K and then it returns S. Finally, S is added to V to generate the authentication tag T { 0 , 1 } n .
The overview of GCM-RIV1 is illustrated in Figure 1. The key generation, encryption, decryption, leakage, GHASH, and CTR algorithms are shown in Algorithms 1, 2, 3, 4, 5 and 6, respectively.
Algorithm 1 The key generation algorithm: KG
Input: a key parameter k
Output: two keys ( L , K )
( L , K ) $ K H × K E
return ( L , K )
Algorithm 2 The encryption algorithm: E
Input: two keys ( L , K ) , a nonce N, an associated datum A, and a plaintext M
Output: a ciphertext C and a tag T
I = H L ( N , A , M ) = G H A S H L ( A , M ) N | | [ 0 ] n 4
V = E K ( I )
C = C T R K ( V , M )
J = H L ( N , A , C ) = G H A S H L ( A , C ) N | | [ 0 ] n 4
S = E K ( J )
T = V S
return ( C , T )
Algorithm 3 The decryption algorithm: D
Input: two keys ( L , K ) , a nonce N, an associated datum A, a ciphertext C, and a tag T
Output: a plaintext M or ⊥
J = H L ( N , A , C ) = G H A S H L ( A , C ) N | | [ 0 ] n 4
S = E K ( J )
V = T S
M = C T R K ( V , C )
I = H L ( N , A , M ) = G H A S H L ( A , M ) N | | [ 0 ] n 4
V = E K ( I )
if  V = V , return M
else return ⊥ (INVALID)
endif
Algorithm 4 The leakage algorithm: Λ
Input: two keys ( L , K ) , a nonce N, an associated datum A, a ciphertext C, and a tag T
Output: a leaking invalid plaintext M or ⊤
J = H L ( N , A , C ) = G H A S H L ( A , C ) N | | [ 0 ] n 4
S = E K ( J )
V = T S
M = C T R K ( V , C )
I = H L ( N , A , M ) = G H A S H L ( A , M ) N | | [ 0 ] n 4
V = E K ( I )
if  V = V , return
else return M
endif
Algorithm 5 GHASH algorithm: G H A S H L ( A , M )
Input: a key L, an associated datum A, and a plaintext M
Output: a hash value h
A + A | | 0 n | A | m o d n , M + M | | 0 n | M | m o d n
X A + | | M + | | [ | A | ] n / 2 | | [ | M | ] n / 2
X 1 X x X , | X i | = n , 1 i x
h 0
for  i = 1  to x do
      h ( h X i ) · L
endfor
return h
Algorithm 6 CTR algorithm: C T R K ( V , M )
Input: a key K, an initial vector V, and a plaintext M
Output: a ciphertext C
Partition M into M 1 M m , | M i | = n , 1 i m 1 , 0 < | M m | n
for  i = 1  to  m 1  do
      C i E K ( V + i ) M i
endfor
C m m s b | M m | ( E K ( V + m ) ) M m
return  C = C 1 | | C 2 | | | | C m

4.2. Security of GCM-RIV1

We present the information-theoretic security proof of GCM-RIV1 under the assumption that the underlying block cipher is a secure pseudorandom permutation.
Theorem 1. 
Let H be an ϵ-AXU hash function. Let A be an adversary against GCM-RIV1 that makes at most q queries with at most σ blocks in total. Then, there exists an adversary B against E that makes at most 7 ( 2 q + σ ) queries, and one has
A d v G C M R I V 1 S A E ( A ) A d v E P R P ( B ) + 6 ( q + σ ) 2 + 3 q 2 n + 12 q 2 ϵ .
Proof. 
The idea of the proof depends on the decomposition of the SAE security model. Thus, calculating the upper bound on A d v G C M R I V 1 S A E ( A ) is transformed into calculating the upper bounds of A d v G C M R I V 1 I N D C P A ( A 1 ) , A d v G C M R I V 1 I N T C T X T ( A 2 ) , and A d v G C M R I V 1 E R R C C A ( A 3 ) , where A 1 , A 2 and A 3 are IND-CPA, INT-CTXT, and ERR-CCA adversaries against GCM-RIV1, respectively, and each makes at most q queries of at most σ blocks.
First, we upper-bound A d v G C M R I V 1 I N D C P A ( A 1 ) . In the IND-CPA security model, the adversary A 1 makes q queries to the encryption oracle E K (real scheme GCM-RIV1) or $ (ideal version of GCM-RIV1). According to Definition 3, one has
A d v G C M R I V 1 I N D C P A ( A 1 ) = P r [ K K : A E K = 1 ] P r [ A $ = 1 ]
We replace the block ciphers E K in GCM-RIV1 with a random permutation π , which costs A d v E P R P ( B ) for a PRP adversary B against E with at most q + σ queries.
We assume that the adversary A 1 makes q queries ( N 1 , A 1 , M 1 ) , , ( N q , A q , M q ) to the encryption oracle and it reruns ( C 1 , T 1 ) , , ( C q , T q ) . We record all query–response pairs as a transcript τ = { ( N 1 , A 1 , M 1 , C 1 , T 1 ) , , ( N q , A q , M q , C q , T q ) } .
According to the H-coefficient lemma (Lemma 3), here, we first define a bad transcript and then state the probability of a bad transcript in the ideal world.
Definition 8. 
A transcript τ is called bad if one of the following events holds:
1
Collisions occur between the outputs of the ϵ-AXU hash function H L .
  • Bad1: I i = I j ( V i = V j ) for any 1 i j q .
  • Bad2: J i = J j ( S i = S j ) for any 1 i j q .
  • Bad3: I i = J j ( V i = S j ) for any 1 i , j q .
2
Collisions occur between the inputs or outputs of π.
  • Bad4: V i + k = V j + l for any 1 i , j q , 1 k m i , 1 l m j , and ( i , k ) ( j , l ) .
  • Bad5: V i + k = I j for any 1 i , j q , 1 k m i .
  • Bad6: V i + k = J j for any 1 i , j q , 1 k m i .
3
Collisions occur between the authentication tags.
  • Bad7: T i = T j for any 1 i j q .
Let Γ b a d be a set of all bad transcripts, Γ be a set of all transcripts, and Γ = Γ b a d Γ g o o d . Let X r e be the random variable interacting with the real scheme GCM-RIV1[ π ] and Y i d be the random variable interacting with the ideal version. We first upper-bound the probability P r [ Y i d Γ b a d ] .
For the event Bad1, given any two distinct tuples of the nonce, the associated data, and the plaintext ( N i , A i , M i ) ( N j , A j , M j ) , according to the properties of the ϵ -AXU hash function H, the probability of I i = I j is
P r [ I i = I j ] = P r [ H L ( N i , A i , M i ) = H L ( N j , A j , M j ) ] ϵ .
Therefore, for q queries, one has
P r [ B a d 1 ] = 1 i j q P r [ I i = I j ] q 2 ϵ / 2 .
Similarly, for the event Bad2, one has P r [ B a d 2 ] = 1 i j q P r [ J i = J j ] q 2 ϵ / 2 .
For the event Bad3, one has P r [ B a d 3 ] = 1 i , j q P r [ I i = J j ] q 2 ϵ .
For the event Bad4, according to σ = 1 i q m i = 1 j q m j , one has
P r [ B a d 4 ] = 1 i j q 1 k m i , 1 l m j P r [ V i + k = V j + l ] + 1 i q 1 k l m i P r [ V i + k = V j + l ] σ 2 / 2 n .
For the event Bad5, according to the properties of the ϵ -AXU hash function H, the probability of V i + k = I j is
P r [ V i + k = I j ] = P r [ V i + k = H L ( N j , A j , M j ) ] 1 / 2 n .
Therefore, for q queries, according to σ = 1 i q m i , one has
P r [ B a d 5 ] = 1 i , j q 1 k m i P r [ V i + k = I j ] q σ / 2 n .
Similarly, for the event Bad6, P r [ B a d 6 ] = 1 i , j q 1 k m i P r [ V i + k = J j ] q σ / 2 n .
For the event Bad7, one has P r [ B a d 7 ] = 1 i j q P r [ T i = T j ] q 2 / 2 n + 1 .
To sum up, one has
P r [ Y i d Γ b a d ] = 1 i 7 P r [ B a d i ] 1 i 7 P r [ B a d i ] ( q + σ ) 2 2 n + 2 q 2 ϵ .
In the good transcript τ , we bound the ratio between P r [ X r e = τ ] and P r [ Y i d = τ ] .
For the real scheme GCM-RIV1[ π ], one has
P r [ X r e = τ ] = P r [ π P e r m ( n ) : G C M R I V 1 [ π ] τ ] = | π P e r m ( n ) : G C M R I V 1 [ π ] τ | | P e r m ( n ) | = ( 2 n ( q + σ ) ) ! ( 2 n ) ! = 1 ( 2 n ) q + σ 1 2 ( q + σ ) n .
For the ideal version $, one has
P r [ Y i d = τ ] = P r [ $ F u n c ( | N | + | A | + | M | , ( q + σ ) n ) : $ τ ] = 1 2 ( q + σ ) n .
Therefore, the ratio between P r [ X r e = τ ] and P r [ Y i d = τ ] is P r [ X r e = τ ] P r [ Y i d = τ ] 1 .
Therefore, according to the H-coefficient technique, for a PRP adversary B against E with at most q + σ queries, one has
A d v G C M R I V 1 I N D C P A ( A 1 ) A d v E P R P ( B ) + ( q + σ ) 2 2 n + 2 q 2 ϵ .
Then, we upper-bound A d v G C M R I V 1 I N T C T X T ( A 2 ) . In the INT-CTXT security model, the adversary A 2 has access to encryption and decryption oracles E K and D K , with at most q queries of at most σ blocks each. According to Definition 4, one has
A d v G C M R I V 1 I N T C T X T ( A ) = P r [ K K : A E K , D K f o r g e s ] .
The evaluation of A d v G C M R I V 1 I N T C T X T ( A 2 ) is similar to the above. Therefore, we briefly describe it here. In the decryption oracle, for every fresh tuple of the nonce, the associated data, and the plaintext, the ϵ -AXU hash function H generates an identical I or V with ϵ probability. Similarly, for every fresh tuple of the nonce, the associated data, and the ciphertext, the ϵ -AXU hash function H generates an identical J or S with ϵ probability. Therefore, the adversary makes q queries to bring at most approximately q 2 ϵ collision probabilities. In addition, I may collide with J, which brings about q 2 ϵ collision probabilities. For each fresh V, CTR will generate a random key-stream. According to the result of the CTR mode, it costs A d v E P R P ( B ) + σ 2 2 n . Similarly, collisions may occur between the authentication tags, which cost q 2 2 n + 1 . Besides this, V + 1 , V + 2 , may collide with I or J, which costs 2 q σ 2 n . For each new tuple of the nonce, the associated data, the ciphertext, and the authentication tag, the probability that the decryption algorithm passes the verification is at most q / 2 n . Therefore, for a PRP adversary B against E with at most 2 ( 2 q + σ ) queries, one has
A d v G C M R I V 1 I N T C T X T ( A 2 ) A d v E P R P ( B ) + ( q + σ ) 2 + q 2 n + 2 q 2 ϵ .
Finally, we upper-bound A d v G C M R I V 1 E R R C C A ( A 3 ) . In the ERR-CCA security model, the adversary A 3 has access to encryption, decryption, and leakage oracles, with at most q queries of at most σ blocks each. According to Definition 6, one has
A d v G C M R I V 1 E R R C C A ( A ) = P r [ K K : A E K , D K , Λ K = 1 ] P r [ K , K K : A E K , D K , Λ K = 1 ] .
Similar to the cases above, the probability of bad events (collisions occur) in the encryption or decryption oracles is upper-bounded by A d v E P R P ( B ) + ( q + σ ) 2 2 n + 2 q 2 ϵ . In the leakage algorithm Λ , for two distinct dummy keys K , K , the probability of bad events (collisions occur) is also upper-bounded by A d v E P R P ( B ) + ( q + σ ) 2 2 n + 2 q 2 ϵ . Besides this, for each new tuple of the nonce, the associated data, the ciphertext, and the authentication tag, the probability that the leakage algorithm passes the verification is at most q / 2 n . Therefore, for a PRP adversary B against E with at most 4 ( 2 q + σ ) queries, one has
A d v G C M R I V 1 E R R C C A ( A 3 ) A d v E P R P ( B ) + 4 ( q + σ ) 2 + 2 q 2 n + 8 q 2 ϵ .
To summarize, according to Lemma 2, the SAE security of GCM-RIV1 is upper-bounded by
A d v G C M R I V 1 S A E ( A ) A d v E P R P ( B ) + 6 ( q + σ ) 2 + 3 q 2 n + 12 q 2 ϵ .
The security proof of Theorem 1 is finished.    □
Theorem 1 shows that GCM-RIV1 enjoys birthday-bound SAE security with n / 2 -bit and nonce-misuse resistance if the underlying block cipher is a secure PRP and ϵ = 2 n .

5. GCM-RIV2

To support beyond-birthday-bound (BBB) security, we introduce the sum of permutation (SoP) construction to GCM-RIV1, propose GCM-RIV2, and prove its sAE security. GCM-RIV2 provides stronger BBB security and robustness against the leakage of invalid plaintext.

5.1. Specific Description of GCM-RIV2

Before describing the specific scheme, let us explain our design idea. In the beginning, we wished to construct it based on GCM-SIV2. GCM-SIV2 is a BBB-secure nonce-based AE scheme and it follows SIV. Similar to GCM-RIV1, we introduce RIV instead of SIV to GCM-SIV2 and invoke two extra hash functions to generate two initialization vectors. In the encryption algorithm of GCM-SIV2, two initialization vectors are taken as the inputs of the SoP-based CTR-like mode to generate the key-stream and then the result is XORed to the plaintext to generate the ciphertext. Meanwhile, two initialization vectors are taken as the inputs of an SoP construction to generate the authentication tag. However, we found that the design obtained in this way is very inefficient. To improve the efficiency while ensuring BBB security, we utilize an initialization vector and a nonce instead of two initialization vectors so that we can perform pre-calculations during the encryption and decryption. Let us name this new scheme GCM-RIV2. The encryption part of GCM-RIV2 is an SoP-based CTR-like mode that ensures BBB security. The authentication part of GCM-RIV2 is an XOR construction of two pseudorandom values, which ensures BBB security.
We specifically describe GCM-RIV2 as follows. Let H : K H × N × H × { 0 , 1 } { 0 , 1 } n be an ϵ -AXU-hash function and E : K E × { 0 , 1 } n { 0 , 1 } n be a block cipher, where K H is a hash key space, N is a nonce space, H is an associated data space, K E is an encryption key space, and n is the block size.
According to the idea of RIV, firstly, a nonce N N , an associated datum A H , and a plaintext M { 0 , 1 } can be processed by a function constructed by a hash function H with a hash key L K H and a block cipher E with an encryption key K K E to generate a robust initialization vector V { 0 , 1 } n . Then, the initialization vector V, the nonce N, and the plaintext M are taken as inputs of the SoP-based CTR encryption algorithm with two block ciphers E K 1 and E K 2 and return the ciphertext C. Again, the nonce N, the associated datum A, and the ciphertext C are processed by the function constructed by a hash function H with a hash key L and a block cipher E with an encryption key K and then it returns S. Finally, S is added to V to generate the authentication tag T { 0 , 1 } n .
The overview of GCM-RIV2 is illustrated in Figure 2.
The key generation, encryption, decryption, leakage, and SoP-based CTR algorithms are shown in Algorithms 7, 8, 9, 10 and 11, respectively.
Algorithm 7 The key generation algorithm: KG
Input: a key parameter k
Output: four keys ( K , K 1 , K 2 , L )
( K , K 1 , K 2 , L ) $ K = ( K E , K E , K E , K H )
return  ( K , K 1 , K 2 , L )
Algorithm 8 The encryption algorithm: E
Input: four keys ( K , K 1 , K 2 , L ) , a nonce N, an associated datum A, and a plaintext M
Output: a ciphertext C and a tag T
I = H L ( N , A , M ) = G H A S H L ( A , M ) N | | [ 0 ] n 4
V = E K ( I )
C = S C T R K 1 , K 2 ( V , N , M )
J = H L ( N , A , C ) = G H A S H L ( A , C ) N | | [ 0 ] n 4
S = E K ( J )
T = S V
return  ( C , T )
Algorithm 9 The decryption algorithm: D
Input: four keys ( K , K 1 , K 2 , L ) , a nonce N, an associated datum A, a ciphertext C, and a tag T
Output: a plaintext M or ⊥
J = H L ( N , A , C ) = G H A S H L ( A , C ) N | | [ 0 ] n 4
S = E K ( J )
V = S T
M = S C T R K 1 , K 2 ( V , N , C )
I = H L ( N , A , M ) = G H A S H L ( A , M ) N | | [ 0 ] n 4
V = E K ( I )
if  V = V , return M
else return ⊥ (INVALID)
endif
Algorithm 10 The leaking algorithm: Λ
Input: four keys ( K , K 1 , K 2 , L ) , a nonce N, an associated datum A, a ciphertext C, and a tag T
Output: a leaking invalid plaintext M or ⊤
J = H L ( N , A , C ) = G H A S H L ( A , C ) N | | [ 0 ] n 4
S = E K ( J )
V = S T
M = S C T R K 1 , K 2 ( V , N , C )
I = H L ( N , A , M ) = G H A S H L ( A , M ) N | | [ 0 ] n 4
V = E K ( I )
if  V = V , return ⊤
else return M
endif
Algorithm 11 SoP-based CTR algorithm: S C T R K 1 , K 2 ( V , N , M )
Input: two keys K 1 , K 2 , an initial vector V, a nonce N, and a plaintext M
Output: a ciphertext C
Partition M into M 1 M m , | M i | = n , 1 i m 1 , 0 < | M m | n
for  i = 1  to  m 1  do
      C i E K 1 ( V + i ) E K 2 ( N | | [ i ] n 4 ) M i
endfor
C m m s b | M m | ( E K 1 ( V + m ) E K 2 ( N | | [ m ] n 4 ) ) M m
return  C = C 1 | | C 2 | | | | C m

5.2. Security of GCM-RIV2

We present the information-theoretic security proof of GCM-RIV2 under the assumption that the underlying block cipher is a secure pseudorandom permutation.
Theorem 2. 
Let H be an ϵ-AXU hash function. Let A be an adversary against GCM-RIV2 that makes at most q queries with at most σ blocks in total. Then, there exists an adversary B against E that makes at most 7 ( 2 q + 2 σ ) queries, and one has
A d v G C M R I V 2 S A E ( A ) A d v E P R P ( B ) + + 12 q 4 / 3 ϵ + 6 σ 4 / 3 2 n + 1 + 6 q 4 / 3 2 n + 1 + 12 σ μ 2 2 n + 6 σ 2 2 2 n + 6 q 2 ϵ 2 + 12 q 2 ϵ 2 n + 4 σ 2 μ 2 2 2 n + 8 q 2 ϵ 2 2 n + 486 σ 4 / 3 + 26 σ + 1752 q 4 / 3 + 412 q 2 n .
Proof. 
Similar to the security proof of Theorem 1, according to the decomposition of SAE security, calculating the upper bound on A d v G C M R I V 2 S A E ( A ) is transformed into calculating the upper bounds of A d v G C M R I V 2 I N D C P A ( A 1 ) , A d v G C M R I V 2 I N T C T X T ( A 2 ) , and A d v G C M R I V 2 E R R C C A ( A 3 ) , where A 1 , A 2 and A 3 are IND-CPA, INT-CTXT, and ERR-CCA adversaries against GCM-RIV2, respectively, and each makes at most q queries of at most σ blocks.
First, we upper-bound A d v G C M R I V 2 I N D C P A ( A 1 ) . In the IND-CPA security model, the adversary A 1 makes q queries to the encryption oracle E (real scheme GCM-RIV2) or $ (ideal version of GCM-RIV2).
We replace all block ciphers E K , E K 1 , and E K 2 in GCM-RIV2 with random permutations π , π 1 , and π 2 , which costs A d v E P R P ( B ) for a PRP adversary B against E with at most 2 q + 2 σ queries. Then, one has
A d v G C M R I V 2 I N D C P A ( A 1 ) A d v E P R P ( B ) + A d v G C M R I V 2 [ π , π 1 , π 2 ] I N D C P A ( A 1 ) .
We assume that the adversary A 1 makes q queries ( N 1 , A 1 , M 1 ) , , ( N q , A q , M q ) to the encryption oracle and it reruns ( C 1 , T 1 ) , , ( C q , T q ) . We record all query–response pairs as a transcript τ = { ( N 1 , A 1 , M 1 , C 1 , T 1 ) , , ( N q , A q , M q , C q , T q ) } . Then, one has
V : V 1 = π ( H L ( N 1 , A 1 , M 1 ) ) V q = π ( H L ( N q , A q , M q ) )
S C T R : π 1 ( V 1 + 1 ) π 2 ( N 1 | | [ 1 ] n 4 ) = M 1 1 C 1 1 π 1 ( V 1 + m 1 ) π 2 ( N 1 | | [ m 1 ] n 4 ) = M m 1 1 C m 1 1 π 1 ( V 2 + 1 ) π 2 ( N 2 | | [ 1 ] n 4 ) = M 1 2 C 1 2 π 1 ( V 2 + m 2 ) π 2 ( N 2 | | [ m 2 ] n 4 ) = M m 2 2 C m 2 2 π 1 ( V q + 1 ) π 2 ( N q | | [ 1 ] n 4 ) = M 1 q C 1 q π 1 ( V q + m q ) π 2 ( N q | | [ m q ] n 4 ) = M m q q C m q q
S : S 1 = π ( H L ( N 1 , A 1 , C 1 ) ) S q = π ( H L ( N q , A q , C q ) )
T : S 1 V 1 = T 1 S 2 V 2 = T 2 S q V q = T q
According to the H-coefficient lemma (Lemma 3), here, we first define a bad transcript and then state the probability of a bad transcript in the ideal world and the ratio between the probability of good transcripts in the real world and the probability of good transcripts in the ideal world.
After observing, we found that the equations above correspond to two distinct mirror systems: the SCTR mirror system and the T mirror system. Let X i , j = π 1 ( V i + j ) , Y i , j = π 2 ( N i | | [ j ] n 4 ) , and λ i , j = M j i C j i , where i [ q ] , j [ m i ] and σ = i [ q ] m i . Let V 1 = be a set of vertices { X i , j } i [ q ] , j [ m i ] , V 2 = be a set of vertices { Y i , j } i [ q ] , j [ m i ] , E = be a set of edges { ( X i , j , Y i , j ) } i [ q ] , j [ m i ] , and W = : E = { λ i , j } i [ q ] , j [ m i ] be a weighted function. Then, the SCTR mirror system corresponds to a bipartite graph G S C T R = = < V 1 = , V 2 = , E = , W = > . Similarly, the T mirror system corresponds to a graph G T = = < V T = , E T = , W T = > , where V T = = { S i , V i } i [ q ] , E T = = { ( S i , V i ) } i [ q ] and W T = : E T = { T i } i [ q ] .
In order to be able to use the extended mirror theory and H-coefficient technique, we need to define bad transcripts.
Definition 9. 
A transcript τ is called bad if one of the following events holds:
1
The number of collisions from the outputs of the hash function H L is larger than q 2 / 3 .
  • Bad1: | I i = I j | q 2 / 3 or | V i = V j | q 2 / 3 .
  • Bad2: | J i = J j | q 2 / 3 or | S i = S j | q 2 / 3 .
  • Bad3: | I i = J j | q 2 / 3 or | V i = S j | q 2 / 3 .
2
The number of collisions from the inputs of π 1 is larger than σ 2 / 3 .
  • Bad4: | V i + k = V j + l | σ 2 / 3 .
3
The number of collisions from the inputs of π 2 is larger than q 2 / 3 .
  • Bad5: | N i = N j | q 2 / 3 .
4
The number of collisions from the authentication tag is larger than q 2 / 3 .
  • Bad6: | T i = T j | q 2 / 3 .
5
The constraints of the extended mirror theory include the constraints of the SCTR mirror system (Bad7–Bad9) and the constraints of the the T mirror system (Bad10–Bad15).
  • Bad7: There exist distinct i , k [ q ] such that X i , j = X k , l and Y i , j = Y k , l , where j [ m i ] and l [ m k ] , i.e., V i + j = V k + l and N i | | [ j ] n / 4 = N k | | [ l ] n / 4 (it implies j = l ).
  • Bad8: There exist distinct i , k [ q ] such that X i , j = X k , l and λ i , j = λ k , l , where j [ m i ] and l [ m k ] , i.e., V i + j = V k + l and M j i C j i = M l k C l k .
  • Bad9: There exist distinct i , k [ q ] such that Y i , j = Y k , l and λ i , j = λ k , l , where j [ m i ] and l [ m k ] , i.e., N i | | [ j ] n / 4 = N k | | [ l ] n / 4 (it implies j = l ) and M j i C j i = M l k C l k .
  • Bad10: There exist distinct i , j [ q ] such that S i = S j and V i = V j , i.e., H L ( N i , A i , C i ) = H L ( N j , A j , C j ) and H L ( N i , A i , M i ) = H L ( N j , A j , M j ) .
  • Bad11: There exist distinct i , j [ q ] such that S i = S j and T i = T j , i.e., H L ( N i , A i , C i ) = H L ( N j , A j , C j ) and T i = T j .
  • Bad12: There exist distinct i , j [ q ] such that V i = V j and T i = T j , i.e., H L ( N i , A i , M i ) = H L ( N j , A j , M j ) and T i = T j .
  • Bad13: There exist distinct i , j [ q ] such that S i = V j and V i = S j , i.e., H L ( N i , A i , C i ) = H L ( N j , A j , M j ) and H L ( N i , A i , M i ) = H L ( N j , A j , C j ) .
  • Bad14: There exist distinct i , j [ q ] such that S i = V j and T i = T j , i.e., H L ( N i , A i , C i ) = H L ( N j , A j , M j ) and T i = T j .
  • Bad15: There exist distinct i , j [ q ] such that V i = S j and T i = T j , i.e., H L ( N i , A i , M i ) = H L ( N j , A j , C j ) and T i = T j .
Let Γ b a d be a set of all bad transcripts, Γ be a set of all transcripts, and Γ = Γ b a d Γ g o o d . Let X r e be the random variable interacting with the real scheme GCM-RIV2[ π , π 1 , π 2 ] and Y i d be the random variable interacting with the ideal version. We first upper-bound the probability P r [ Y i d Γ b a d ] .
For Bad1, according to the properties of ϵ -AXU hash functions, the expectation of | I i = I j | for all q queries is E [ | I i = I j | ] = q ( q 1 ) ϵ / 2 . Then, according to Markov’s inequality, the probability that Bad1 occurs is
P r [ B a d 1 ] = P r [ | I i = I j | ] q 2 / 3 ] E [ | I i = I j | ] q 2 / 3 q 4 / 3 ϵ / 2 .
Similarly, for Bad2, one has P r [ B a d 2 ] q 4 / 3 ϵ / 2 .
For Bad3, according to the properties of ϵ -AXU hash functions, the expectation of | I i = J j | for all q queries is E [ | I i = J j | ] = q 2 ϵ . Then, according to Markov’s inequality, the probability that Bad1 occurs is
P r [ B a d 3 ] = P r [ | I i = J j | ] q 2 / 3 ] E [ | I i = J j | ] q 2 / 3 q 4 / 3 ϵ .
For Bad4, the probability that V i + k = V j + l occurs for any i , j , k , l is 2 n . Therefore, the expectation of | V i + k = V j + l | for all σ blocks is E [ | V i + k = V j + l | ] σ 2 / 2 n + 1 . Then, according to Markov’s inequality, the probability that Bad4 occurs is
P r [ B a d 4 ] = P r [ | V i + k = V j + l | ] σ 2 / 3 ] E [ | V i + k = V j + l | ] σ 2 / 3 σ 4 / 3 2 n + 1 .
For Bad5, we consider the nonce-faulty setting. Let N be a μ -faulty nonce and μ 2 < q 2 / 3 . Therefore, the probability that Bad5 occurs is 0.
For Bad6, the probability that T i = T j occurs for any i , j is 2 n . Therefore, the expectation of | T i = T j | for all q blocks is E [ | T i = T j | ] q 2 / 2 n + 1 . Then, according to Markov’s inequality, the probability that Bad6 occurs is
P r [ B a d 6 ] = P r [ | T i = T j | ] q 2 / 3 ] E [ | T i = T j | ] q 2 / 3 q 4 / 3 2 n + 1 .
For Bad7, the probability that V i + j = V k + l occurs for any i , j , k , l is 2 n and the number of pairs ( i , k ) such that N i = N k is at most μ 2 . Then, the probability that Bad7 occurs is
P r [ B a d 7 ] = i , j , k , l P r [ X i , j = X k , l , Y i , j = Y k , l ] = i , j , k P r [ V i + j = V k + j , N i = N k ] σ μ 2 / 2 n .
Similarly, for Bad8, the probability that M j i C j i = M l k C l k occurs for any i , j , k , l is 2 n . Then, the probability that Bad7 occurs is
P r [ B a d 8 ] = i , j , k , l P r [ X i , j = X k , l , λ i , j = λ k , l ] = i , j , k , l P r [ V i + j = V k + l , M j i C j i = M l k C l k ] σ 2 / 2 2 n .
For Bad9, one has
P r [ B a d 9 ] = i , j , k , l P r [ Y i , j = Y k , l , λ i , j = λ k , l ] = i , j , k P r [ N i = N k , M j i C j i = M j k C j k ] σ μ 2 / 2 n .
For Bad10, the probability that S i = S j and V i = V j occur for any i , j is ϵ . Then, the probability that Bad10 occurs is
P r [ B a d 10 ] = i , j P r [ S i = S j , V i = V j ] = i , j P r [ H L ( N i , A i , C i ) = H L ( N j , A j , C j ) , H L ( N i , A i , M i ) = H L ( N j , A j , M j ) ] q 2 ϵ 2 / 2 .
For Bad11, one has
P r [ B a d 11 ] = i , j P r [ S i = S j , T i = T j ] = i , j P r [ H L ( N i , A i , C i ) = H L ( N j , A j , C j ) , T i = T j ] q 2 ϵ / 2 n + 1 .
For Bad12, one has
P r [ B a d 12 ] = i , j P r [ V i = V j , T i = T j ] = i , j P r [ H L ( N i , A i , M i ) = H L ( N j , A j , M j ) , T i = T j ] q 2 ϵ / 2 n + 1 .
For Bad13, the probability that S i = V j and V i = S j occur for any i , j is ϵ . Then, the probability that Bad13 occurs is
P r [ B a d 13 ] = i , j P r [ S i = V j , V i = S j ] = i , j P r [ H L ( N i , A i , C i ) = H L ( N j , A j , M j ) , H L ( N i , A i , M i ) = H L ( N j , A j , C j ) ] q 2 ϵ 2 / 2 .
For Bad14, one has
P r [ B a d 14 ] = i , j P r [ S i = V j , T i = T j ] = i , j P r [ H L ( N i , A i , C i ) = H L ( N j , A j , M j ) , T i = T j ] q 2 ϵ / 2 n + 1 .
For Bad15, one has
P r [ B a d 15 ] = i , j P r [ V i = S j , T i = T j ] = i , j P r [ H L ( N i , A i , M i ) = H L ( N j , A j , C j ) , T i = T j ] q 2 ϵ / 2 n + 1 .
To sum up, the probability of bad transcripts is
P r [ Y i d Γ b a d ] = 1 i 15 P r [ B a d i ] 1 i 15 P r [ B a d i ] 2 q 4 / 3 ϵ + σ 4 / 3 2 n + 1 + q 4 / 3 2 n + 1 + 2 σ μ 2 2 n + σ 2 2 2 n + q 2 ϵ 2 + 2 q 2 ϵ 2 n .
In the good transcript τ , we bound the ratio P r [ X r e = τ ] P r [ Y i d = τ ] between the real scheme GCM-RIV2[ π , π 1 , π 2 ] and its ideal version.
First, we consider P r [ X r e = τ ] for a good transcript τ in the real scheme GCM-RIV2[ π , π 1 , π 2 ].
For the SCTR mirror system, as | V i + k = V j + l |   σ 2 / 3 , the number of edges in components with a size of more than 2 is σ c 4 σ 2 / 3 . Therefore, according to Theorem 5, the number of solutions of G S C T R = is at least
( 2 n ) | V 1 = | ( 2 n ) | V 2 = | 2 n σ 1 δ 1 ,
where δ 1 = 9 σ c 2 4 · 2 n + 9 σ c 2 σ + 6 σ c σ 2 + 4 σ 2 4 · 2 2 n + 8 σ 4 3 · 2 3 n 36 σ 4 / 3 2 n + 36 σ 7 / 3 + 6 σ 8 / 3 + σ 2 2 2 n + 8 σ 4 3 · 2 3 n 81 σ 4 / 3 + σ 2 n .
Similarly, for the T mirror system, as | S i = S j |   q 2 / 3 and | V i = V j |   q 2 / 3 , the number of edges in components with a size of more than 2 is q c 4 q 2 / 3 . Therefore, according to Theorem 4, the number of solutions of G T = is at least
( 2 n ) | V T = | 2 n q 1 δ 2 ,
where δ 2 = 9 q c 2 4 · 2 n + 9 q c 2 q + 24 q c q 2 + 6 q c q + 40 q 2 2 2 n + 16 q 4 2 3 n 36 q 4 / 3 2 n + 144 q 7 / 3 + 96 q 8 / 3 + 24 q 5 / 3 + 40 q 2 2 2 n + 16 q 4 2 3 n 292 q 4 / 3 + 64 q 2 n .
Therefore, for a good graph, it must satisfy both G S C T R = and G T = . It follows that the number of solutions of a good graph G is at least
( 2 n ) | V 1 = | ( 2 n ) | V 2 = | 2 n σ ( 2 n ) | V T = | 2 n q 1 δ 1 1 δ 2 .
In the real scheme GCM-RIV2[ π , π 1 , π 2 ], one has
P r [ X r e = τ ] = P r [ π , π 1 , π 2 P e r m ( n ) : G C M R I V 2 [ π , π 1 , π 2 ] τ ] = | π , π 1 , π 2 P e r m ( n ) : G C M R I V 2 [ π , π 1 , π 2 ] τ | | P e r m ( n ) | 3 ( 2 n ) | V 1 = | ( 2 n ) | V 2 = | 2 n σ ( 2 n ) | V T = | 2 n q 1 δ 1 1 δ 2 ( 2 n | V 1 = | ) ! ( 2 n | V 2 = | ) ! ( 2 n | V T = | ) ! ( 2 n ! ) 3 = 1 2 n σ 1 2 n q 1 δ 1 1 δ 2 .
In the ideal version $, one has
P r [ Y i d = τ ] = P r [ $ F u n c ( | N | + | A | + | M | , ( q + σ ) n ) : $ τ ] = 1 2 ( q + σ ) n .
Therefore, the ratio between P r [ X r e = τ ] and P r [ Y i d = τ ] in the good transcript is
P r [ X r e = τ ] P r [ Y i d = τ ] ( 1 δ 1 ) ( 1 δ 2 ) 1 ( δ 1 + δ 2 ) = 1 δ ,
where δ = δ 1 + δ 2 81 σ 4 / 3 + σ + 292 q 4 / 3 + 64 q 2 n .
According to the H-coefficient technique and Equations (1)–(3), for a PRP adversary B against E with at most 2 q + 2 σ queries, one has
A d v G C M R I V 2 I N D C P A ( A 1 ) A d v E P R P ( B ) + 2 q 4 / 3 ϵ + σ 4 / 3 2 n + 1 + q 4 / 3 2 n + 1 + 2 σ μ 2 2 n + σ 2 2 2 n + q 2 ϵ 2 + 2 q 2 ϵ 2 n + 81 σ 4 / 3 + σ + 292 q 4 / 3 + 64 q 2 n .
Then, we upper-bound A d v G C M R I V 2 I N T C T X T ( A 2 ) . The evaluation process is similar to that of A d v G C M R I V 2 I N D C P A ( A 1 ) except that it also includes that of the extended mirror system with equations and non-equations under forgery attempts. In the INT-CTXT security model, the adversary can access the encryption and decryption oracles. We assume that the adversary A 2 makes q forgery attempts ( N 1 , A 1 , C 1 , T 1 ) , , ( N q , A q , C q , T q ) to the decryption oracle after q queries ( N 1 , A 1 , M 1 ) , , ( N q , A q , M q ) to the encryption oracle and does not make invalid queries. We record all query–response pairs as a transcript τ = { ( N 1 , A 1 , M 1 , C 1 , T 1 ) , , ( N q , A q , M q , C q , T q ) , ( N 1 , A 1 , M 1 , C 1 , T 1 ) , , ( N q , A q , M q , C q , T q ) } . Unlike the mirror system in the IND-CPA security model, here, we consider an extended mirror system with equations and non-equations. The system with equations generated by the encryption oracle is the same as that of IND-CPA, so they are not listed. Let us simply list the system with equations and non-equations generated by the decryption oracle (forgery attempts) below.
S : S 1 = π ( H L ( N 1 , A 1 , C 1 ) ) S q = π ( H L ( N q , A q , C q ) )
V : V 1 = π ( H L ( N 1 , A 1 , M 1 ) ) V q = π ( H L ( N q , A q , M q ) )
S C T R : π 1 ( V 1 + 1 ) π 2 ( N 1 | | [ 1 ] n 4 ) M 1 1 C 1 1 π 1 ( V 1 + m 1 ) π 2 ( N 1 | | [ m 1 ] n 4 ) M m 1 1 C m 1 1 π 1 ( V 2 + 1 ) π 2 ( N 2 | | [ 1 ] n 4 ) M 1 2 C 1 2 π 1 ( V 2 + m 2 ) π 2 ( N 2 | | [ m 2 ] n 4 ) M m 2 2 C m 2 2 π 1 ( V q + 1 ) π 2 ( N q | | [ 1 ] n 4 ) M 1 q C 1 q π 1 ( V q + m q ) π 2 ( N q | | [ m q ] n 4 ) M m q q C m q q
T : S 1 V 1 T 1 S 2 V 2 T 2 S q V q T q
According to the H-coefficient lemma (Lemma 3), here, we first define a bad transcript and then state the probability of a bad transcript in the ideal world and the ratio between the probability of good transcripts in the real world and the probability of good transcripts in the ideal world.
After observing, we found that the system above corresponds to two distinct extended mirror systems: the SCTR with SCTR system and the T with T system. Let X i , j = π 1 ( V i + j ) , Y i , j = π 2 ( N i | | [ j ] n 4 ) , and λ i , j = M j i C j i , where i [ q ] , j [ m i ] and σ = i [ q ] m i . Let V 1 = be a set of vertices { X i , j } i [ q ] , j [ m i ] , V 2 = be a set of vertices { Y i , j } i [ q ] , j [ m i ] , E = be a set of edges { ( X i , j , Y i , j ) } i [ q ] , j [ m i ] , and W = : E = { λ i , j } i [ q ] , j [ m i ] be a weighted function. Then, the SCTR mirror system corresponds to a bipartite graph G S C T R = = < V 1 = , V 2 = , E = , W = > . Let X i , j = π 1 ( V i + j ) , Y i , j = π 2 ( N i | | [ j ] n 4 ) , and λ i , j = M j i C j i , where i [ q ] , j [ m i ] and σ = i [ q ] m i . Let V 1 be a set of vertices { X i , j } i [ q ] , j [ m i ] , V 2 be a set of vertices { Y i , j } i [ q ] , j [ m i ] , E be a set of edges { ( X i , j , Y i , j ) } i [ q ] , j [ m i ] , and W : E { λ i , j } i [ q ] , j [ m i ] be a weighted function. Then, the SCTR with the SCTR system corresponds to a bipartite graph G S C T R = < V 1 , V 2 , E , W > , where V 1 = V 1 = V 1 , V 2 = V 2 = V 2 , E = E = E , and W = W = W .
Similarly, the T mirror system corresponds to a graph G T = = < V T = , E T = , W T = > , where V T = = { S i , V i } i [ q ] , E T = = { ( S i , V i ) } i [ q ] and W T = : E T = { T i } i [ q ] . Then, the T with T system corresponds to a graph G T = < V T , E T , W T > , where V T = V T = V T , E T = E T = E T , and W T = W T = W T .
In order to be able to use the extended mirror theory and H-coefficient technique, we need to define bad transcripts.
Definition 10. 
A transcript τ is called bad if one of the following events holds:
1
Bad1–Bad15 is the same as that of Definition 9.
2
Bad16: V i + j = V k + l , N i | | [ j ] n 4 = N k | | [ l ] n 4 , and M j i C j i = M l k C l k .
3
Bad17: S i = S j , V i = V j , and T i = T j .
4
Bad18: S i = V j , V i = S j , and T i = T j .
Let Γ b a d be a set of all bad transcripts, Γ be a set of all transcripts, and Γ = Γ b a d Γ g o o d . Let X r e be the random variable interacting with the real scheme GCM-RIV2[ π , π 1 , π 2 ] and Y i d be the random variable interacting with the ideal version. We first upper-bound the probability P r [ Y i d Γ b a d ] .
For Bad1–Bad15, Equation (2) has given
P r [ B a d 1 B a d 15 ] 2 q 4 / 3 ϵ + σ 4 / 3 2 n + 1 + q 4 / 3 2 n + 1 + 2 σ μ 2 2 n + σ 2 2 2 n + q 2 ϵ 2 + 2 q 2 ϵ 2 n .
For Bad16, the probability that V i + j = V k + l or M j i C j i = M l k C l k occurs for any i , j , k , l is 2 n and the number of pairs ( i , k ) such that N i = N k is at most μ 2 . Then, the probability of Bad16 is
P r [ B a d 16 ] = i , j , k , l P r [ V i + j = V k + l , N i | | [ j ] n 4 = N k | | [ l ] n 4 , M j i C j i = M l k C l k ] = i , j , k P r [ V i + j = V k + j , N i = N k , M j i C j i = M j k C j k ] σ 2 μ 2 2 2 n .
For Bad17, the probability that S i = S j or V i = V j occurs for any i , j is at most ϵ and the probability that T i = T j occurs for any i , j is 2 n . Then, the probability of Bad17 is
P r [ B a d 17 ] = i , j P r [ S i = S j , V i = V j , T i = T j ] q 2 ϵ 2 2 n .
For Bad18, the probability that S i = V j or V i = S j occurs for any i , j is at most ϵ and the probability that T i = T j occurs for any i , j is 2 n . Then, the probability of Bad18 is
P r [ B a d 18 ] = i , j P r [ S i = V j , V i = S j , T i = T j ] q 2 ϵ 2 2 n .
To sum up, the probability of bad transcripts in the ideal world is
P r [ Y i d Γ b a d ] = i [ 18 ] P r [ B a d i ] i [ 18 ] P r [ B a d i ] 2 q 4 / 3 ϵ + σ 4 / 3 2 n + 1 + q 4 / 3 2 n + 1 + 2 σ μ 2 2 n + σ 2 2 2 n + q 2 ϵ 2 + 2 q 2 ϵ 2 n + σ 2 μ 2 2 2 n + 2 q 2 ϵ 2 2 n .
In the good transcript τ , we bound the ratio P r [ X r e = τ ] P r [ Y i d = τ ] between the real scheme GCM-RIV2[ π , π 1 , π 2 ] and its ideal version.
First, we consider P r [ X r e = τ ] for a good transcript τ in the real scheme GCM-RIV2[ π , π 1 , π 2 ].
For the SCTR with the SCTR extended mirror system, as | V i + k = V j + l |   σ 2 / 3 , the number of edges in components with a size of more than 2 is σ c 4 σ 2 / 3 . Therefore, according to Theorem 5, the number of solutions of G S C T R is at least
( 2 n ) | V 1 | ( 2 n ) | V 2 | 2 n σ 1 δ 1 ,
where δ 1 = 9 σ c 2 4 · 2 n + 9 σ c 2 σ + 6 σ c σ 2 + 4 σ 2 4 · 2 2 n + 8 σ 4 3 · 2 3 n + 5 σ 2 n 36 σ 4 / 3 2 n + 36 σ 7 / 3 + 6 σ 8 / 3 + σ 2 2 2 n + 8 σ 4 3 · 2 3 n + 5 σ 2 n 81 σ 4 / 3 + 6 σ 2 n .
Similarly, for the T with the T extended mirror system, as | S i = S j |   q and | V i = V j |   q 2 / 3 , the number of edges in components with a size of more than 2 is q c 4 q 2 / 3 . Therefore, according to Theorem 4, the number of solutions of G T is at least
( 2 n ) | V T | 2 n q 1 δ 2 ,
where δ 2 = 9 q c 2 4 · 2 n + 9 q c 2 q + 24 q c q 2 + 6 q c q + 40 q 2 2 2 n + 16 q 4 2 3 n + 7 q 2 n 36 q 4 / 3 2 n + 144 q 7 / 3 + 96 q 8 / 3 + 24 q 5 / 3 + 40 q 2 2 2 n + 16 q 4 2 3 n + 7 q 2 n 292 q 4 / 3 + 71 q 2 n .
Therefore, for a good graph, it must satisfy both G S C T R and G T . It follows that the number of solutions of a good graph is at least
( 2 n ) | V 1 | ( 2 n ) | V 2 | 2 n σ ( 2 n ) | V T | 2 n q 1 δ 1 1 δ 2 .
In the real scheme GCM-RIV2[ π , π 1 , π 2 ], one has
P r [ X r e = τ ] = P r [ π , π 1 , π 2 P e r m ( n ) : G C M R I V 2 [ π , π 1 , π 2 ] τ ] = | π , π 1 , π 2 P e r m ( n ) : G C M R I V 2 [ π , π 1 , π 2 ] τ | | P e r m ( n ) | 3 ( 2 n ) | V 1 | ( 2 n ) | V 2 | 2 n σ ( 2 n ) | V T | 2 n q 1 δ 1 1 δ 2 ( 2 n | V 1 | ) ! ( 2 n | V 2 | ) ! ( 2 n | V T | ) ! ( 2 n ! ) 3 = 1 2 n σ 1 2 n q 1 δ 1 1 δ 2 .
In the ideal version $, one has
P r [ Y i d = τ ] = P r [ $ F u n c ( | N | + | A | + | M | , ( q + σ ) n ) : $ τ ] = 1 2 ( q + σ ) n .
Therefore, the ratio between P r [ X r e = τ ] and P r [ Y i d = τ ] in the good transcript is
P r [ X r e = τ ] P r [ Y i d = τ ] ( 1 δ 1 ) ( 1 δ 2 ) 1 ( δ 1 + δ 2 ) = 1 δ ,
where δ = δ 1 + δ 2 81 σ 4 / 3 + 6 σ + 292 q 4 / 3 + 71 q 2 n .
According to the H-coefficient technique and Equations (1), (4) and (5), for a PRP adversary B against E with at most 4 q + 4 σ queries, one has
A d v G C M R I V 2 I N T C T X T ( A 1 ) A d v E P R P ( B ) + 2 q 4 / 3 ϵ + σ 4 / 3 2 n + 1 + q 4 / 3 2 n + 1 + 2 σ μ 2 2 n + σ 2 2 2 n + q 2 ϵ 2 + 2 q 2 ϵ 2 n + σ 2 μ 2 2 2 n + 2 q 2 ϵ 2 2 n + 81 σ 4 / 3 + 6 σ + 292 q 4 / 3 + 71 q 2 n .
Finally, we upper-bound A d v G C M R I V 1 E R R C C A ( A 3 ) . In the ERR-CCA security model, the adversary A 3 has access to the encryption, decryption, and leakage oracles, with at most q queries of at most σ blocks each. The security analysis in the encryption or decryption oracle is similar to that under the above security models, and the security analysis in the leakage oracle is similar to that of the decryption oracle with forgery attempts under the INT-CTXT. Besides this, we also need to consider an extended mirror system with equations and non-equations for distinct dummy keys in the leakage oracle. Therefore, for a PRP adversary B against E with at most 8 q + 8 σ queries, one has
A d v G C M R I V 2 E R R C C A ( A 3 ) A d v E P R P ( B ) + 8 q 4 / 3 ϵ + 4 σ 4 / 3 2 n + 1 + 4 q 4 / 3 2 n + 1 + 8 σ μ 2 2 n + 4 σ 2 2 2 n + 4 q 2 ϵ 2 + 8 q 2 ϵ 2 n + 3 σ 2 μ 2 2 2 n + 6 q 2 ϵ 2 2 n + 324 σ 4 / 3 + 19 σ + 1168 q 4 / 3 + 277 q 2 n .
To summarize, according to Lemma 2, the SAE security of GCM-RIV2 is upper-bounded by
A d v G C M R I V 2 S A E ( A ) A d v E P R P ( B ) + 12 q 4 / 3 ϵ + 6 σ 4 / 3 2 n + 1 + 6 q 4 / 3 2 n + 1 + 12 σ μ 2 2 n + 6 σ 2 2 2 n + 6 q 2 ϵ 2 + 12 q 2 ϵ 2 n + 4 σ 2 μ 2 2 2 n + 8 q 2 ϵ 2 2 n + 486 σ 4 / 3 + 26 σ + 1752 q 4 / 3 + 412 q 2 n .
The security proof of Theorem 2 is finished. □
Theorem 2 shows that GCM-RIV2 enjoys beyond-birthday-bound SAE security with 3 n / 4 -bit and its security bound decreases as parameter μ increases if the underlying block cipher is a secure PRP and ϵ = 2 n .

6. Discussion and Conclusions

GCM-RIV1 and GCM-RIV2 are robust authenticated encryption modes with an inverse-free nature. Both of them are based on the RIV framework, which extends the SIV construction by adopting an extra hash function with block cipher encryption and support nonce misuse. GCM-RIV1 is rate 1 (a plaintext block per each encryption), while GCM-RIV2 is rate 1/2 (a plaintext block per two encryptions). However, fortunately, the nonce-based encryption part of GCM-RIV2 can be precomputed, which means that the running speed of GCM-RIV2 is close to that of GCM-RIV1. Besides this, GCM-RIV1 and GCM-RIV2 are parallelizable. Therefore, overall, the performance of GCM-RIV1 and GCM-RIV2 is only slightly lower than that of GCM-SIV1.
From the perspective of the security, GCM-RIV1 and GCM-RIV2 support stronger security than GCM-SIV1. GCM-RIV1 guarantees birthday-bound SAE security of n / 2 -bit and supports robustness against the leakage of invalid plaintext. GCM-RIV2 enjoys beyond-birthday-bound SAE security with 3 n / 4 -bit graceful degradation and supports robustness against faulty nonces and the leakage of invalid plaintext. Table 1 shows the comparison between our schemes and previous related schemes.
Currently, GCM, GCM-SIV, and its related variants have been widely used in network security protocols. With the complexity, isomerization, and diversification of the network environment, GCM-RIV1 and GCM-RIV2, as robust AE modes, will be highly valued. GCM-RIV1 and GCM-RIV2 provide subtle AE security, nonce-faulty resistance, and birthday-bound security or even degradation-friendly beyond-birthday-bound security, meeting the requirements of the complex, isomerized, and diversified network environments for the robustness, elasticity, and reliable security of AE schemes. However, GCM-RIV1 and GCM-RIV2 need to be further optimized in terms of efficiency and security. GCM-RIV1 only ensures birthday-bound security, while GCM-RIV2 is rate 1/2. One potential future task is to further design more efficient and robust cryptographic schemes adapted to specific environments.

Funding

This research was funded by the National Natural Science Foundation of China (Grant Nos. 61902195, 62072207, and 62272238) and Guangdong Basic and Applied Basic Research Foundation (Grant No. 2022A1515140090).

Data Availability Statement

The data used to support the findings of the study are available within the article.

Acknowledgments

I would like to express my sincere thanks to editors and the anonymous reviewers for their valuable comments and suggestions.

Conflicts of Interest

The author declares no conflict of interest.

References

  1. McGrew, D.A.; Viega, J. The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In Progress in Cryptology—INDOCRYPT 2004, Proceedings of the 5th International Conference on Cryptology in India, Chennai, India, 20–22 December 2004; Canteaut, A., Viswanathan, K., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2004; Volume 3348, pp. 343–355. [Google Scholar] [CrossRef]
  2. Viega, J.; McGrew, D.A. The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP). RFC 2005, 4106, 1–11. [Google Scholar] [CrossRef]
  3. Salowey, J.; Choudhury, A.; McGrew, D.A. AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC 2008, 5288, 1–8. [Google Scholar] [CrossRef]
  4. Rogaway, P.; Shrimpton, T. A Provable-Security Treatment of the Key-Wrap Problem. In Advances in Cryptology—EUROCRYPT 2006, Proceedings of the 25th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, 28 May–1 June 2006; Vaudenay, S., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2006; Volume 4004, pp. 373–390. [Google Scholar] [CrossRef]
  5. Iwata, T.; Yasuda, K. HBS: A Single-Key Mode of Operation for Deterministic Authenticated Encryption. In Fast Software Encryption, Proceedings of the 16th International Workshop, FSE 2009, Leuven, Belgium, 22–25 February 2009; Dunkelman, O., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5665, pp. 394–415. [Google Scholar] [CrossRef]
  6. Iwata, T.; Yasuda, K. BTM: A Single-Key, Inverse-Cipher-Free Mode for Deterministic Authenticated Encryption. In Selected Areas in Cryptography, Proceedings of the 16th Annual International Workshop, SAC 2009, Calgary, AL, Canada, 13–14 August 2009; Jacobson, M.J., Rijmen, V., Safavi-Naini, R., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2009; Volume 5867, pp. 313–330. [Google Scholar] [CrossRef]
  7. Reyhanitabar, R.; Vaudenay, S.; Vizár, D. Misuse-Resistant Variants of the OMD Authenticated Encryption Mode. In Provable Security, Proceedings of the 8th International Conference, ProvSec 2014, Hong Kong, China, 9–10 October 2014; Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8782, pp. 55–70. [Google Scholar] [CrossRef]
  8. Gueron, S.; Lindell, Y. GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; Ray, I., Li, N., Kruegel, C., Eds.; ACM, Association for Computing Machinery: New York, NY, USA, 2015; pp. 109–119. [Google Scholar] [CrossRef]
  9. Gueron, S.; Langley, A.; Lindell, Y. AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption. RFC 2019, 8452, 1–42. [Google Scholar] [CrossRef]
  10. Iwata, T.; Minematsu, K. Stronger Security Variants of GCM-SIV. IACR Trans. Symmetric Cryptol. 2016, 2016, 134–157. [Google Scholar] [CrossRef]
  11. Kresmer, P.; Zeh, A. CCM-SIV: Single-PRF Nonce-Misuse-Resistant Authenticated Encryption. IACR Cryptol. ePrint Arch. 2019, 892, 1–29. [Google Scholar]
  12. Andreeva, E.; Bhati, A.S.; Vizár, D. Nonce-Misuse Security of the SAEF Authenticated Encryption Mode. In Selected Areas in Cryptography, Proceedings of the SAC 2020—27th International Conference, Halifax, NS, Canada (Virtual Event), 21–23 October 2020; Dunkelman, O., Jacobson, M.J., O’Flynn, C., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2020; Volume 12804, pp. 512–534. [Google Scholar] [CrossRef]
  13. Inoue, A.; Guo, C.; Minematsu, K. Nonce-misuse resilience of Romulus-N and GIFT-COFB. IET Inf. Secur. 2023, 17, 468–484. [Google Scholar] [CrossRef]
  14. Dutta, A.; Nandi, M.; Talnikar, S. Beyond Birthday Bound Secure MAC in Faulty Nonce Model. In Advances in Cryptology, Proceedings of the EUROCRYPT 2019—38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Part I, Darmstadt, Germany, 19–23 May 2019; Ishai, Y., Rijmen, V., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2019; Volume 11476, pp. 437–466. [Google Scholar] [CrossRef]
  15. Choi, W.; Lee, B.; Lee, J.; Lee, Y. Toward a Fully Secure Authenticated Encryption Scheme from a Pseudorandom Permutation. In Advances in Cryptology, Proceedings of the ASIACRYPT 2021—27th International Conference on the Theory and Application of Cryptology and Information Security, Part III, Singapore, 6–10 December 2021; Tibouchi, M., Wang, H., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2021; Volume 13092, pp. 407–434. [Google Scholar] [CrossRef]
  16. Andreeva, E.; Bogdanov, A.; Luykx, A.; Mennink, B.; Mouha, N.; Yasuda, K. How to Securely Release Unverified Plaintext in Authenticated Encryption. In Advances in Cryptology, Proceedings of the ASIACRYPT 2014—20th International Conference on the Theory and Application of Cryptology and Information Security, Part I, Kaoshiung, Taiwan, 7–11 December 2014; Sarkar, P., Iwata, T., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2014; Volume 8873, pp. 105–125. [Google Scholar] [CrossRef]
  17. Datta, N.; Luykx, A.; Mennink, B.; Nandi, M. Understanding RUP Integrity of COLM. IACR Trans. Symmetric Cryptol. 2017, 2017, 143–161. [Google Scholar] [CrossRef]
  18. Zhang, P.; Wang, P.; Hu, H.; Cheng, C.; Kuai, W. INT-RUP Security of Checksum-Based Authenticated Encryption. In Provable Security, Proceedings of the 11th International Conference, ProvSec 2017, Xi’an, China, 23–25 October 2017; Okamoto, T., Yu, Y., Au, M.H., Li, Y., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2017; Volume 10592, pp. 147–166. [Google Scholar] [CrossRef]
  19. Imamura, K.; Minematsu, K.; Iwata, T. Integrity analysis of authenticated encryption based on stream ciphers. Int. J. Inf. Sec. 2018, 17, 493–511. [Google Scholar] [CrossRef]
  20. Chakraborti, A.; Datta, N.; Jha, A.; Mancillas-López, C.; Nandi, M.; Sasaki, Y. INT-RUP Secure Lightweight Parallel AE Modes. IACR Trans. Symmetric Cryptol. 2019, 2019, 81–118. [Google Scholar] [CrossRef]
  21. Ashur, T.; Dunkelman, O.; Luykx, A. Boosting Authenticated Encryption Robustness with Minimal Modifications. In Advances in Cryptology, Proceedings of the CRYPTO 2017—37th Annual International Cryptology Conference, Part III, Santa Barbara, CA, USA, 20–24 August 2017; Katz, J., Shacham, H., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2017; Volume 10403, pp. 3–33. [Google Scholar] [CrossRef]
  22. Datta, N.; Dutta, A.; Ghosh, S. INT-RUP Security of SAEB and TinyJAMBU. In Progress in Cryptology, Proceedings of the INDOCRYPT 2022—23rd International Conference on Cryptology in India, Kolkata, India, 11–14 December 2022; Isobe, T., Sarkar, S., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2022; Volume 13774, pp. 146–170. [Google Scholar] [CrossRef]
  23. Hoang, V.T.; Krovetz, T.; Rogaway, P. Robust Authenticated-Encryption AEZ and the Problem That It Solves. In Advances in Cryptology, Proceedings of the EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Part I, Sofia, Bulgaria, 26–30 April 2015; Oswald, E., Fischlin, M., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9056, pp. 15–44. [Google Scholar] [CrossRef]
  24. Badertscher, C.; Matt, C.; Maurer, U.; Rogaway, P.; Tackmann, B. Robust Authenticated Encryption and the Limits of Symmetric Cryptography. In Cryptography and Coding, Proceedings of the 15th IMA International Conference, IMACC 2015, Oxford, UK, 15–17 December 2015; Groth, J., Ed.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2015; Volume 9496, pp. 112–129. [Google Scholar] [CrossRef]
  25. Shrimpton, T.; Terashima, R.S. A Modular Framework for Building Variable-Input-Length Tweakable Ciphers. In Advances in Cryptology, Proceedings of the ASIACRYPT 2013—19th International Conference on the Theory and Application of Cryptology and Information Security, Part I, Bengaluru, India, 1–5 December 2013; Sako, K., Sarkar, P., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8269, pp. 405–423. [Google Scholar] [CrossRef]
  26. Barwell, G.; Page, D.; Stam, M. Rogue Decryption Failures: Reconciling AE Robustness Notions. In Cryptography and Coding, Proceedings of the 15th IMA International Conference, IMACC 2015, Oxford, UK, 15–17 December 2015; Groth, J., Ed.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2015; Volume 9496, pp. 94–111. [Google Scholar] [CrossRef]
  27. Abed, F.; Forler, C.; List, E.; Lucks, S.; Wenzel, J. RIV for Robust Authenticated Encryption. In Fast Software Encryption, Proceedings of the 23rd International Conference, FSE 2016, Bochum, Germany, 20–23 March 2016; Peyrin, T., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9783, pp. 23–42. [Google Scholar] [CrossRef]
  28. Patarin, J. The “Coefficients H” Technique. In Selected Areas in Cryptography, Proceedings of the 15th International Workshop, SAC 2008, Sackville, NB, Canada, 14–15 August 2008; Avanzi, R.M., Keliher, L., Sica, F., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2008; Volume 5381, pp. 328–345. [Google Scholar] [CrossRef]
  29. Hoang, V.T.; Tessaro, S. Key-Alternating Ciphers and Key-Length Extension: Exact Bounds and Multi-user Security. In Advances in Cryptology, Proceedings of the CRYPTO 2016—36th Annual International Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2016; Robshaw, M., Katz, J., Eds.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2016; Volume 9814, pp. 3–32. [Google Scholar] [CrossRef]
  30. Datta, N.; Dutta, A.; Dutta, K. Improved Security Bound of (E/D)WCDM. IACR Trans. Symmetric Cryptol. 2021, 2021, 138–176. [Google Scholar] [CrossRef]
  31. Mennink, B.; Neves, S. Encrypted Davies-Meyer and Its Dual: Towards Optimal Security Using Mirror Theory. In Advances in Cryptology, Proceedings of the CRYPTO 2017—37th Annual International Cryptology Conference, Part III, Santa Barbara, CA, USA, 20–24 August 2017; Katz, J., Shacham, H., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2017; Volume 10403, pp. 556–583. [Google Scholar] [CrossRef]
Figure 1. GCM-RIV1: GCM variant with robust initialization vector.
Figure 1. GCM-RIV1: GCM variant with robust initialization vector.
Mathematics 11 04888 g001
Figure 2. GCM-RIV2: beyond-birthday-bound secure GCM variant with robust initialization vector.
Figure 2. GCM-RIV2: beyond-birthday-bound secure GCM variant with robust initialization vector.
Mathematics 11 04888 g002
Table 1. Comparison between our schemes and previous related schemes, where # represents the count, m represents the largest number of plaintext blocks, n is the block size, and NR (resp. NM, resp. NF) stands for the nonce-respecting setting (resp. the nonce-misuse setting, resp. the nonce-faulty setting).
Table 1. Comparison between our schemes and previous related schemes, where # represents the count, m represents the largest number of plaintext blocks, n is the block size, and NR (resp. NM, resp. NF) stands for the nonce-respecting setting (resp. the nonce-misuse setting, resp. the nonce-faulty setting).
Scheme# Key# Block Cipher# HashInverse FreeReference
GCM2m1Yes[1]
GCM-SIV12 m + 1 1Yes[10]
GCM-SIV26 2 m + 4 2Yes[10]
GCM-RUP4 m + 3 2No[21]
GCM-RIV12 m + 2 2YesSection 4
GCM-RIV24 2 m + 2 2YesSection 5
GCM n / 2 -bit--nAELow
GCM-SIV1 n / 2 -bit n / 2 -bit-nAEMedium
GCM-SIV2 2 n / 3 -bit 2 n / 3 -bit-nAEMedium
GCM-RUP n / 2 -bit n / 2 -bit-RUPHigh
GCM-RIV1 n / 2 -bit n / 2 -bit n / 2 -bitSAEHigher
GCM-RIV2 3 n / 4 -bit 3 n / 4 -bit 3 n / 4 -bit 1SAEHigher
1 3n/4-bit gracefully degradable as parameter μ increases.
Table 2. Descriptions of symbols.
Table 2. Descriptions of symbols.
SymbolDescriptionSymbolDescription
K the key space N the nonce space
H the associated data space M the plaintext space
C the ciphertext space T the authentication tag space
the bitwise XOR+the addition modulo 2 n
·the multiplication modulo 2 n | | the concatenation of strings
{ 0 , 1 } a set of all strings { 0 , 1 } n a set of n-bit strings
P e r m ( n ) an n-bit permutation setuniform random sampling
F u n c ( m , n ) a set of all functions from m-bit inputs to n-bit outputs A O = 1 an adversary A outputs 1 after interacting with the oracle O
P r [ E ] the probability of an event E [ r ] a set { 1 , 2 , , r }
a valid (success) symbola reject (failure) symbol
m s b the most significant bit l s b the least significant bit
| X | the number of elements in set X ( 2 n ) q 2 n · ( 2 n 1 ) ( 2 n q + 1 )
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Zhang, P. GCM Variants with Robust Initialization Vectors. Mathematics 2023, 11, 4888. https://doi.org/10.3390/math11244888

AMA Style

Zhang P. GCM Variants with Robust Initialization Vectors. Mathematics. 2023; 11(24):4888. https://doi.org/10.3390/math11244888

Chicago/Turabian Style

Zhang, Ping. 2023. "GCM Variants with Robust Initialization Vectors" Mathematics 11, no. 24: 4888. https://doi.org/10.3390/math11244888

APA Style

Zhang, P. (2023). GCM Variants with Robust Initialization Vectors. Mathematics, 11(24), 4888. https://doi.org/10.3390/math11244888

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop