TY - GEN
T1 - GCM-SIV
T2 - 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015
AU - Gueron, Shay
AU - Lindell, Yehuda
N1 - Publisher Copyright:
© 2015 ACM.
PY - 2015/10/12
Y1 - 2015/10/12
N2 - Authenticated encryption schemes guarantee both privacy and integrity, and have become the default level of encryption in modern protocols. One of the most popular authenticated encryption schemes today is AES-GCM due to its impressive speed. The current CAESAR competition is considering new modes for authenticated encryption that will improve on existing methods. One property of importance that is being considered more today-due to multiple real-life cases of faulty sources of randomness-is that repeating nonces and IVs can have disastrous effects on security. A (full) nonce misuse-resistant authenticated encryption scheme has the property that if the same nonce is used to encrypt the same message twice, then the same cipher-text is obtained and so the fact that the same message was encrypted is detected. Otherwise, full security is obtained-even if the same nonce is used for different messages. In this paper, we present a new fully nonce misuse-resistant authenticated encryption scheme that is based on carefully combining the GCM building blocks into the SIV paradigm of Rogaway and Shrimpton. We provide a full proof of security of our scheme, and an optimized implementation using the AES-NI and PCLMULQDQ instruction sets. We compare our performance to the highly optimized OpenSSL 1.0.2 implementation of GCM and show that our nonce misuse-resistant scheme is only 14% slower on Haswell architecture and 19% slower on Broadwell architecture. On Broadwell, GCM-SIV encryption takes only 0.92 cycles per byte, and GCM-SIV decryption is exactly the same as GCM decryption taking only 0.77 cycles per byte. In addition, we compare to other optimized authenticated-encryption implemen-tations carried out by Bogdanov et al., and conclude that our mode is very competitive. Beyond being very fast, our new mode of operation uses the same building blocks as GCM and so existing hardware and software can be utilized to easily deploy GCM-SIV.We conclude that GCM-SIV is a viable alternative to GCM, providing full nonce misuse-resistance at little cost.
AB - Authenticated encryption schemes guarantee both privacy and integrity, and have become the default level of encryption in modern protocols. One of the most popular authenticated encryption schemes today is AES-GCM due to its impressive speed. The current CAESAR competition is considering new modes for authenticated encryption that will improve on existing methods. One property of importance that is being considered more today-due to multiple real-life cases of faulty sources of randomness-is that repeating nonces and IVs can have disastrous effects on security. A (full) nonce misuse-resistant authenticated encryption scheme has the property that if the same nonce is used to encrypt the same message twice, then the same cipher-text is obtained and so the fact that the same message was encrypted is detected. Otherwise, full security is obtained-even if the same nonce is used for different messages. In this paper, we present a new fully nonce misuse-resistant authenticated encryption scheme that is based on carefully combining the GCM building blocks into the SIV paradigm of Rogaway and Shrimpton. We provide a full proof of security of our scheme, and an optimized implementation using the AES-NI and PCLMULQDQ instruction sets. We compare our performance to the highly optimized OpenSSL 1.0.2 implementation of GCM and show that our nonce misuse-resistant scheme is only 14% slower on Haswell architecture and 19% slower on Broadwell architecture. On Broadwell, GCM-SIV encryption takes only 0.92 cycles per byte, and GCM-SIV decryption is exactly the same as GCM decryption taking only 0.77 cycles per byte. In addition, we compare to other optimized authenticated-encryption implemen-tations carried out by Bogdanov et al., and conclude that our mode is very competitive. Beyond being very fast, our new mode of operation uses the same building blocks as GCM and so existing hardware and software can be utilized to easily deploy GCM-SIV.We conclude that GCM-SIV is a viable alternative to GCM, providing full nonce misuse-resistance at little cost.
UR - http://www.scopus.com/inward/record.url?scp=84954106001&partnerID=8YFLogxK
U2 - 10.1145/2810103.2813613
DO - 10.1145/2810103.2813613
M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???
AN - SCOPUS:84954106001
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 109
EP - 119
BT - CCS 2015 - Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 12 October 2015 through 16 October 2015
ER -