1. Introduction

The Galois Counter Mode (GCM) of operation introduced by McGrew and Viega is a very famous authenticated encryption (AE) mode [1]. Due to its friendly hardware implementation, superior software performance, no patent, and provable security, it has been widely used in high-speed network application environments. For example, GCM with the Advanced Encryption Standard (AES) has been used in IETF Transport Layer Security protocol TLS 1.3. Now, GCM has been included in the recommendations of NIST, ISO/IEC, IEEE, and IETF. As GCM is widely deployed, the CAESAR competition takes it as the baseline algorithm, which further promotes the research of GCM. There exist a large number of research results related to GCM [1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16].

GCM is a nonce-based AE mode. It takes a nonce as an extra input and requires that the nonce used in the encryption oracle is distinct (nonce-respecting setting). If the nonce length is restricted to 96 bits, GCM is provably birthday-bound secure up to approximately $2^{n/2}$ adversarial queries in the nonce-respecting setting [3,5], where n is the block-size of the underlying block cipher.

However, the nonce-respecting assumption does not fit the actual situation. The nonce is often misused in real life, bringing serious security threats. Joux found that, if the nonce is misused, then the hash key of GCM can be leaked and the leaked hash key can be utilized to achieve a universal forgery attack [2]. To settle the nonce misuse problem of GCM at little cost, Gueron and Lindell introduced a nonce-misuse-resistant AE (NMAE or MRAE) scheme GCM-SIV at CCS 2015 [11]. GCM-SIV covers GCM components and follows the SIV approach by Rogaway and Shrimpton [17]. In fact, as the syntax and the security model of NMAE became formalized, more and more NMAE schemes were proposed, such as [11,12,13,14,15,16,17,18,19,20,21,22,23]. GCM-SIV is just the first NMAE scheme that introduces SIV into GCM. GCM-SIV is proven secure even if the nonce is repeated. In 2016, Iwata and Minematsu pointed out that there exists a trivial distinguishing attack with approximately $2^{(n-k)/2}$ adversarial queries in GCM-SIV, where k is the bits of keys, and then presented an improved variant of GCM-SIV, called GCM-SIV1, which is proven secure up to $2^{n/2}$ (birthday bound) adversarial queries in the nonce misuse setting [12]. Furthermore, they considered a stronger security bound, and then proposed beyond-birthday-bound (BBB)-secure GCM-SIVr schemes that combine $r\ge 2$ instances of GCM-SIV1. BBB indicates that cryptographic schemes can resist beyond $O\left(2^{n/2}\right)$ adversarial queries. The BBB-secure AE schemes are very rich, such as CHM [24], GCM-SIVr [12], SCT [20], ZAE [21], and PFBw [25]. GCM-SIVr is proven BBB-secure against $O\left(2^{\frac{rn}{r+1}}\right)$ adversarial queries in the nonce misuse setting. Later, an updated variant of GCM-SIV called AES-GCM-SIV was proposed by Gueron et al., and AES-GCM-SIV was eventually accepted as a recommended standardization of IETF Crypto Forum Research Group [13,15]. Iwata and Seurin also made some important contributions to the promotion of standardization. They pointed out the problems in the earlier version, corrected them, and gave some suggestions for improving the key derivation function [14]. These problems and suggestions are accepted to further improve AES-GCM-SIV [15]. Unlike GCM-SIV, AES-GCM-SIV utilizes a key derivation function to generate the hash key and the encryption key, utilizes POLYVAL instead of GHASH, and invokes the full authentication tag as an initial counter. At Eurocrypt 2018, Bose et al. further considered the multi-user security, faster key derivation, and better bounds of AES-GCM-SIV [16].

Although there exists a large amount of research literature on the nonce misuse setting, the number of nonce misuse is often described vaguely. An effective measure of nonce misuse is the maximum number of its multi-collisions. To specify the level of nonce misuse, Dutta et al. introduced a quantitative index of nonce misuse for message authentication code (MAC) algorithms called the number of faulty nonces [23]. In the faulty nonce setting, a query is called as a faulty query if the nonce in this query is the same as the nonce in the previous queries, i.e., the nonce is re-used. The symbol $\mu$ is usually used to indicate the number of faulty nonces. Therefore, the faulty nonce setting covers nonce-respecting and nonce misuse settings. For an adversary that makes, at most, $\mu$ faulty queries, (1) if $\mu =0$, then the adversary is called a nonce-respecting adversary; (2) if $\mu \ge 1$, then the adversary is called a nonce-misusing adversary. Dutta et al. presented a nonce-based MAC scheme, nEHtM, that ensures BBB security with graceful degradation in the faulty nonce setting [23]. Furthermore, they introduced an nEHtM-based AE scheme, CWC+, whose privacy is optimally secure in the nonce-respecting setting and whose authenticity is BBB-secure with graceful degradation in the faulty nonce setting. To ensure the faulty nonce misuse resistance of privacy and authenticity, Choi et al. introduced the first fully faulty nonce-misuse-resistant AE scheme SCM [22]. It utilizes a hash key and three encryption keys. From the perspective of the security, SCM ensures close-to optimal n-bit security in the nonce-respecting setting and supports graceful BBB security degradation (not only for privacy but also for authenticity) in the faulty nonce setting. In recent years, the research about the faulty nonce-misuse-resistant schemes mainly focuses on MACs [26,27]. This paper aims to introduce the faulty nonce setting to GCM-SIVr, and presents an improved AE scheme that ensures full BBB security with graceful degradation in the faulty nonce setting and utilizes as few keys as possible.

Our Contribution. We focus on the optimization of GCM-SIVr in the faulty nonce setting, and propose an optimal tradeoff between GCM-SIV1 and GCM-SIV2 called GCM-SIV1.5, which ensures full BBB security with graceful degradation in the faulty nonce setting. Specifically, our contribution includes:

• From the point of view of the design, we introduce a BBB-secure sum of permutation (SoP) construction to encryption and authentication parts of GCM-SIV1.5, which makes GCM-SIV1.5 BBB secure. GCM-SIV1.5 follows “MAC-then-Encrypt” (MtE). The authentication part of GCM-SIV1.5 utilizes the construction $F_{B2}^{SoP}$ proposed by Chen et al. [27] to ensure BBB security, and the encryption part of GCM-SIV1.5 is generated by SoP-based counter mode with an initial vector and a nonce $CT{R}^{SoP}$ to provide BBB security. Moreover, to minimize costs of key management and implementation on software and hardware, and to maximize the running speed, GCM-SIV1.5 just utilizes two block cipher keys and a hash key, invokes a hash function and twice plaintext blocks, and generates an authentication tag. More importantly, all encryption operations involving the nonce can be carried out offline, which saves half of the online computing resources.

• From the point of view of the security, we prove that GCM-SIV1.5 enjoys BBB security with graceful degradation in the nonce faulty setting by using mirror theory, alternating events lemma, and the H-coefficient technique. Assuming that the underlying block cipher is a secure pseudorandom permutation (PRP) and the hash function is XOR-universal, then GCM-SIV1.5 is proven secure up to approximately $3n/4$-bit query complexity and approximately n-bit forgery attempts for $\mu$-nonce faulty adversaries with $\mu \le 2^{n/4}$. In the real world, if the underlying block cipher is instantiated with AES-128, then GCM-SIV1.5 achieves, at most, approximately 96-bit security for $\mu$-nonce faulty adversaries with $\mu \le 2^{32}$.

In order to better demonstrate the superiority of our design, we give a fair and thorough comparison between GCM-SIV1.5 and existing typical blockcipher-based AE schemes from the following aspects: the depended assumption (PRP means pseudorandom permutation, PRF means pseudorandom function, TPRP means tweakable PRP, and ICM means ideal cipher model), the number of the encryption keys (#Encryption keys), the number of the hash keys (#Hash keys), the number of the underlying primitive (block cipher) calls (#Primitive calls), the number of the hash calls (#Hash calls), the sizes of the authentication tag and nonce, security bound under the nonce-respecting scenario (NR security), security bound under the nonce misuse scenario (NM security), and graceful degradation. The details are shown in Table 1. Compared with GCM-SIV, GCM-SIV1, GCM-SIV2, and GCM-SIVr, GCM-SIV1.5 utilizes fewer keys, fewer blockcipher and hash calls, and shorter sizes, provides a better security bound, and supports graceful security degradation. Therefore, GCM-SIV1.5 reduces the costs of key management and communication throughput, increases the running speed, and ensures a graceful security. Compared with CWC+, GCM-SIV1.5 provides a better security bound and supports fully faulty nonce misuse resistance and graceful security degradation for both privacy and authenticity. Compared with SCM, GCM-SIV1.5 saves an encryption key, supports offline operations involving the nonce’s encryption, and saves half of the online computing resources. In a word, our design has an excellent comprehensive performance.

The rest of this paper is organized as follows. Section 2 presents some preliminaries. Section 3 introduces mirror theory and its graph description. Section 4 shows the decomposition of nAE security. Section 5 described GCM-SIVr. Section 6 proposes our construction, GCM-SIV1.5. Section 7 derives the security proof. Section 8 concludes this paper.

2. Preliminaries

Notations. Some notations are described in Table 2.

Nonce-Based Authenticated Encryption (nAE). A nonce-based authenticated encryption (nAE) with associated data scheme $\mathsf{\Pi }=(\mathcal{K},\mathcal{E},\mathcal{D})$ consists of an encryption algorithm $\mathcal{E}$ and a decryption algorithm $\mathcal{D}$, where $\mathcal{K}$ is a non-empty set of keys. Let $K\in \mathcal{K}$. The encryption algorithm $\mathcal{E}$ takes a key K, a nonce N, associated data A, and a message M as the input and outputs a ciphertext and an authentication tag $(C,T)={\mathcal{E}}_K(N,A,M)$. The decryption algorithm $\mathcal{D}$ takes a key K, a nonce N, associated data A, a ciphertext C, and an authentication tag T as the input and outputs a message or a reject symbol $M/\perp ={\mathcal{D}}_K(N,A,C,T)$. Here, ${\mathcal{D}}_K(N,A,{\mathcal{E}}_K(N,A,M))=M$.

An nAE adversary $\mathcal{A}$ has access to encryption and decryption oracles $({\mathcal{E}}_K,{\mathcal{D}}_K)$ or random and reject oracles $(\mathrm{\$},\perp )$, whose goal is to distinguish them. The random oracle $ takes $(N,A,M)$ as the input and always outputs random strings $(C,T)\twoheadleftarrow {\{0,1\}}^{\left|M\right|+\left|T\right|}$. The reject oracle ⊥ takes $(N,A,C,T)$ as the input and always outputs a reject symbol ⊥. The nAE advantage of $\mathcal{A}$ against $\mathsf{\Pi }$ is defined as

$\begin{array}{cc}\hfill Ad{v}_{\mathsf{\Pi }}^{nAE}\left(\mathcal{A}\right)& =|Pr[K\twoheadleftarrow \mathcal{K}:{\mathcal{A}}^{{\mathcal{E}}_K,{\mathcal{D}}_K}=1]-Pr[{\mathcal{A}}^{\mathrm{\$},\perp }=1]|.\hfill \end{array}$

We assume that $\mathcal{A}$ makes q encryption queries $(N^1,A^1,M^1),\cdots ,(N^q,A^q,M^q)$ to ${\mathcal{E}}_K$ and returns $(C^1,T^1),\cdots ,(C^q,T^q)$, and then makes $q_v$ forgery attempts $(N^{\prime 1},A^{\prime 1},C^{\prime 1},T^{\prime 1}),\cdots$, $(N^{\prime q_v},A^{\prime q_v},C^{\prime q_v},T^{\prime q_v})$ to ${\mathcal{D}}_K$. For a nonce-based AE scheme, we call an AE query a faulty query if $\mathcal{A}$ has already queried its oracle with the same nonce, and assume that $\mathcal{A}$ can be allowed to make, at most, $\mu$ faulty queries. Then, $\mu =0$ ($N^1,\cdots ,N^q$ are distinct) corresponds to the nonce-respecting setting and $\mu \ge 1$ (there exists at least one collision in $N^1,\cdots ,N^q$) corresponds to the nonce misuse setting.

Nonce-Based Encryption (nE). A nonce-based encryption (nE) scheme $\mathbf{E}=({\mathcal{K}}_{\mathbf{E}},\mathbf{E}-\mathcal{E},\mathbf{E}-\mathcal{D})$ consists of an encryption algorithm $\mathbf{E}-\mathcal{E}$ and a decryption algorithm $\mathbf{E}-\mathcal{D}$. The encryption algorithm $\mathbf{E}-\mathcal{E}$ takes a key $K_{\mathbf{E}}$, a nonce N, associated data A, and a message M as the input and outputs a ciphertext $C=\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}(N,A,M)$. The decryption algorithm $\mathbf{E}-\mathcal{D}$ takes a key $K_{\mathbf{E}}$, a nonce N, associated data A, and a ciphertext C as the input and outputs a message $M=\mathbf{E}-{\mathcal{D}}_{K_{\mathbf{E}}}(N,A,C)$. Here, $\mathbf{E}-{\mathcal{D}}_{K_{\mathbf{E}}}(N,A,\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}(N,A,M))=M$.

An nE adversary $\mathcal{A}$ has access to encryption oracle $\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}$ or a random oracle $, whose goal is to distinguish them. The random oracle $ takes $(N,A,M)$ as the input and always outputs random strings $C\twoheadleftarrow {\{0,1\}}^{\left|C\right|}$. We define the nE-advantage of $\mathcal{A}$ as

$\begin{array}{c}\hfill Ad{v}_{\mathbf{E}}^{nE}\left(\mathcal{A}\right)=|Pr[K_{\mathbf{E}}\twoheadleftarrow {\mathcal{K}}_{\mathbf{E}}:{\mathcal{A}}^{\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}}=1]-Pr[{\mathcal{A}}^{\mathrm{\$}}=1]|.\end{array}$

Pseudo-Random Function (PRF). Let $F:{\mathcal{K}}_F\times {\{0,1\}}^m\to {\{0,1\}}^n$ be a keyed function, where ${\mathcal{K}}_F$ is a non-empty set of keys. It takes $K\in {\mathcal{K}}_F$ and $X\in {\{0,1\}}^m$ as the input, and returns $Y=F_K\left(X\right)\in {\{0,1\}}^n$. Let $R\twoheadleftarrow Func(m,n)$.

A PRF adversary $\mathcal{A}$ has access to encryption oracle $F_K$ or a random oracle R, whose goal is to distinguish them. The PRF advantage of an adversary $\mathcal{A}$ is defined as

$\begin{array}{c}\hfill Ad{v}_F^{prf}\left(\mathcal{A}\right)=|Pr[K\twoheadleftarrow {\mathcal{K}}_F:{\mathcal{A}}^{F_K}=1]-Pr[{\mathcal{A}}^R=1]|.\end{array}$

Pseudo-Random Permutation (PRP). Let $E:{\mathcal{K}}_E\times {\{0,1\}}^n\to {\{0,1\}}^n$ be a block cipher, where ${\mathcal{K}}_E$ is a non-empty set of keys. It takes a key $K\in {\mathcal{K}}_E$ and a plaintext block $M\in {\{0,1\}}^n$ as the input, and returns a ciphertext block $C=E_K\left(M\right)$. For each key $K\in {\mathcal{K}}_E$, the function $E_K:{\{0,1\}}^n\to {\{0,1\}}^n$ is a permutation, i.e., $E_K\in Perm\left(n\right)$. Let $P\twoheadleftarrow Perm\left(n\right)$.

A PRP adversary $\mathcal{A}$ has access to encryption oracle $E_K$ or a random permutation oracle P, whose goal is to distinguish them. The PRP advantage of an adversary $\mathcal{A}$ is defined as

$\begin{array}{c}\hfill Ad{v}_E^{prp}\left(\mathcal{A}\right)=|Pr[K\twoheadleftarrow {\mathcal{K}}_E:{\mathcal{A}}^{E_K}=1]-Pr[{\mathcal{A}}^P=1]|.\end{array}$

AXU Hash Functions [22,26,27,30]. Let $H:{\mathcal{K}}_H\times {\{0,1\}}^{*}\to {\{0,1\}}^n$ be a hash function, where ${\mathcal{K}}_H$ is a non-empty hash key space. Let L be a hash key randomly drawn from ${\mathcal{K}}_H$. If, for any distinct $x,x^{\prime }\in {\{0,1\}}^{*}$ and $y\in {\{0,1\}}^n$, it holds that

$\begin{array}{c}\hfill Pr[H_L\left(x\right)\oplus H_L\left(x^{\prime }\right)=y]\le ϵ,\end{array}$

Alternating Events Lemma [26,27,30]. For bounding the probability of an alternating event, such as

$\begin{array}{c}\hfill H_L\left(x_i\right)=H_L\left(x_j\right)\wedge H_{L^{\prime }}\left(x_j\right)=H_{L^{\prime }}\left(x_k\right)\wedge H_L\left(x_k\right)=H_L\left(x_l\right),\end{array}$

H-coefficient Technique [31]. Patarin’s H-coefficient technique is one of the very useful approaches to upper bound the distinguishing advantage of a cryptographic scheme. Given a real system X and an ideal system Y, let $\mathcal{A}$ be a deterministic adversary whose goal is distinguish X from Y. $\mathcal{A}$ interacts with X and Y and a series of query–response pairs are recorded as a transcript $\tau$. Let $\mathcal{T}$ be the set of all possible transcripts. Let $X_{re}$ be the random variable interacting with the real system X and $Y_{id}$ be the random variable interacting with the ideal system Y. Then, the H-coefficient lemma is presented as follows.

If an adversary makes q queries to an oracle O and obtains a transcript $\tau =\{(x_1,y_1),$⋯, $(x_q,y_q)\}$, then we say that the oracle O extends the transcript $\tau$ and write it as $O⊢\tau$, i.e., if $O\left(x_i\right)=y_i$ for all $i\in \left[q\right]$, then $O⊢\tau$.

3. Mirror Theory

Patarin’s mirror theory is a vital tool for bounding the number of solutions of affine systems of multivariate equations or non-equations, which can be applied in the security proofs of BBB-secure cryptographic schemes [27,32,33,34,35]. Here, we consider an affine system of bi-variate equations.

Let $G=<V_1,V_2,E,W>$ be a bipartite graph satisfying the following affine system of bi-variate equations $\mathcal{E}$:

$\begin{array}{c}\hfill \left\{\begin{array}{c}{X}_1\oplus Y_1={\lambda }_1\hfill \\ X_2\oplus Y_2={\lambda }_2\hfill \\ \cdots \cdots \cdots \cdots \cdots \hfill \\ X_q\oplus Y_q={\lambda }_q\hfill \end{array}\right.\end{array}$

$\begin{array}{cc}\hfill & V_1=\{X_1,,\cdots ,X_q\},V_2=\{Y_1,\cdots ,Y_q\},\hfill \\ \hfill & E=\{e_i=(X_i,Y_i),i\in \left[q\right]\},\hfill \\ \hfill & W:E\to {\{0,1\}}^n\setminus \left\{0^n\right\},andW\left(e_i\right)={\lambda }_i,i\in \left[q\right].\hfill \end{array}$

We assume that G can be divided into $\alpha$ components with more than two vertexes and $\beta$ components with just two vertexes, i.e., $G=C_1\cup \cdots \cup C_{\alpha }\cup D_1\cup \cdots \cup D_{\beta }$.

For a bipartite graph G, we say that G is good if it satisfies the following conditions:

• Acylic. G must contain no cycle.

• Non-zero path label (NPL). $W\left(\mathcal{P}\right)\ne 0$ for all paths $\mathcal{P}$ with an even length in the graph G, where $W\left(\mathcal{P}\right)={\sum }_{e\in \mathcal{P}}W\left(e\right)$.

4. Decomposition of nAE Security

Namprempre et al. explored the generic composition of nAE and revealed the decomposition of nAE (security) from IV-based or nonce-based encryption and an MAC [36]. Now, let us focus on N3 type nAE schemes.

An N3 type nAE scheme $\mathsf{\Pi }=(\mathcal{K},\mathcal{E},\mathcal{D})$ consists of a PRF $\mathbf{F}$ and an nE scheme $\mathbf{E}$, where $\mathcal{K}$ is the key space, $\mathcal{E}$ is the encryption algorithm, and $\mathcal{D}$ is the decryption algorithm. Given $K=(K_{\mathbf{F}},K_{\mathbf{E}})\stackrel{\mathrm{\$}}{\leftarrow }\mathcal{K}={\mathcal{K}}_{\mathbf{F}}\times {\mathcal{K}}_{\mathbf{E}}$, $\mathcal{E}$ takes $(N,A,M)$ as the input and returns $(C,T)={\mathcal{E}}_K(N,A,M)$. To be specific, first let $T={\mathbf{F}}_{K_{\mathbf{F}}}(N,A,M)$, and then $C=\mathbf{E}-{\mathcal{E}}_{K_{\mathbf{E}}}(N,T,M)$. $\mathcal{D}$ takes $(N,A,C,T)$ as the input and returns $M/\perp ={\mathcal{D}}_K(N,A,C,T)$. To be specific, first let $M=\mathbf{E}-{\mathcal{D}}_{K_{\mathbf{E}}}(N,T,C)$ and $T^{\prime }={\mathbf{F}}_{K_{\mathbf{F}}}(N,A,M)$, and then return M if $T=T^{\prime }$ and ⊥ otherwise.

Type N3 nAE is secure if its tag generation function is a PRF and if the nE scheme is secure [36]. We assume that an adversary $\mathcal{A}$ makes, at most, q encryption queries and $q_v$ forgery attempts; then, the security of $\mathsf{\Pi }$ is shown in the following lemma.

The above lemma shows that the security proofs of nAE schemes are reduced to the security proofs of the PRF and the nE scheme.

5. GCM-SIVr

Let us first review the specification of GCM-SIVr [12], where $r\ge 1$ is an integer. It utilizes a block cipher $E:{\mathcal{K}}_E\times {\{0,1\}}^n\to {\{0,1\}}^n$ and a hash function $H:{\mathcal{K}}_H\times {\{0,1\}}^{*}\to {\{0,1\}}^n$. The encryption algorithm $\mathcal{E}$ of GCM-SIVr takes a key $K=(L_1,\cdots ,L_r,K_1^{\prime },\cdots ,K_{r^2}^{\prime }$, $K_1,\cdots ,K_r)\in {\left({\mathcal{K}}_H\right)}^r\times {\left({\mathcal{K}}_E\right)}^{r^2+r}$, a nonce N, associated data A, and a plaintext M as the input, and returns a ciphertext C and an authentication tag $T=T_1\left|\right|\cdots \left|\right|T_r$, i.e., $(C,T_1\left|\right|\cdots \left|\right|T_r)={\mathcal{E}}_K(N,A,M)$. The decryption algorithm $\mathcal{D}$ of GCM-SIVr takes K, N, A, C, and T as the input, and returns $M/\perp ={\mathcal{D}}_K(N,A,C,T)$. The details are shown in Algorithms 1–5. GCM-SIV1 and GCM-SIV2 are degraded versions of GCM-SIVr when $r=1$ and 2.

6. GCM-SIV1.5

6.1. Specific Description of GCM-SIV1.5

Both GCM-SIV1 and GCM-SIV2 are nonce-based authenticated encryption with associated data modes by combining a PRF and an ivE scheme. GCM-SIV1 enjoys birthday-bound security up to almost $2^{n/2}$ adversarial queries by using an n-bit authentication tag. GCM-SIV2 utilizes two instances of GCM-SIV1 to achieve beyond-birthday-bound (BBB) security by increasing the number of keys, authentication tags, and block ciphers. However, these methods greatly affect the implementation cost and operation efficiency of cryptographic algorithms. In real life, cryptographic algorithms that provide BBB security, as low as possible hardware and software implementation costs, and high enough operational efficiencies are much more desirable.

Given an $ϵ$-AXU-hash function $H:{\mathcal{K}}_H\times \mathcal{N}\times \mathcal{H}\times \mathcal{M}\to {\{0,1\}}^n$ and a block cipher $E:{\mathcal{K}}_E\times {\{0,1\}}^n\to {\{0,1\}}^n$, where ${\mathcal{K}}_H$ and ${\mathcal{K}}_E$ are two non-empty sets of keys, and n is the block-size, we construct a new two-pass parallelizable nAE mode, GCM-SIV1.5. GCM-SIV1.5 is an optimal tradeoff between GCM-SIV1 and GCM-SIV2 for supporting BBB security with graceful degradation, as low as possible hardware and software implementation costs, and high enough operational efficiencies in nonce-faulty settings. We introduce a sum of permutation (SoP) construction to encryption and authentication parts of GCM-SIV1.5, which makes GCM-SIV1.5 BBB-secure. The authentication part of GCM-SIV1.5 is generated by $F_{B_2}^{SoP}$, which ensures BBB security. The encryption part of GCM-SIV1.5 is generated by $CT{R}^{SoP}$ with an initial vector and a nonce, which ensures BBB security.

The overview of GCM-SIV1.5 is illustrated in Figure 1.

GCM-SIV1.5 consists of a key generation algorithm $\mathcal{KG}$, an encryption algorithm $\mathcal{E}$, and a decryption algorithm $\mathcal{D}$. The key generation algorithm $\mathcal{KG}$ takes a key parameter k as the input and returns a key $K=(K_1,K_2,L)$ (two encryption keys $K_1,K_2$ and a hash key L) from an entropy pool of a set of keys $\mathcal{K}=({\mathcal{K}}_E,{\mathcal{K}}_E,{\mathcal{K}}_H)={\{0,1\}}^k$. The encryption algorithm $\mathcal{E}$ takes a key $K=(K_1,K_2,L)$, a nonce N, associated data A, and a plaintext M as the input, invokes the tag generation algorithm $F_{B_2}^{SoP}$ and CTR with the SoP algorithm $CT{R}^{SoP}$, and outputs the corresponding ciphertext and authentication tag $(C,T)={\mathcal{E}}_K(N,A,M)$. The decryption algorithm $\mathcal{D}$ takes a key $K=(K_1,K_2,L)$, a nonce N, associated data A, a ciphertext C, and an authentication tag T as the input, invokes the tag generation algorithm $F_{B_2}^{SoP}$ and CTR with the SoP algorithm $CT{R}^{SoP}$, and outputs the corresponding plaintext M or a reject symbol ⊥, i.e., $M/\perp ={\mathcal{D}}_K(N,A,C,T)$. The key generation, encryption, and decryption algorithms are described in Algorithms 6–8. The tag generation algorithm $F_{B_2}^{SoP}$ and CTR with the SoP algorithm $CT{R}^{SoP}$ are described in Algorithms 9 and 10.

6.2. Security of GCM-SIV1.5

We present the information-theoretic security of GCM-SIV1.5 under the assumption that the underlying block cipher is a secure pseudorandom permutation.

GCM-SIV1.5 is an N3 type nAE scheme (and it can also be seen as an A7 type nAE scheme); therefore, it can be decomposed into a PRF $\mathbf{F}$ and an nE scheme $\mathbf{E}$, where $\mathbf{F}:{\mathcal{K}}_{\mathbf{F}}\times \mathcal{N}\times \mathcal{H}\times \mathcal{M}\to \mathcal{T}$, $\mathbf{E}:{\mathcal{K}}_{\mathbf{E}}\times \mathcal{N}\times \mathcal{T}\times \mathcal{M}\to \mathcal{C}$, ${\mathcal{K}}_{\mathbf{F}}={\mathcal{K}}_H\times {\mathcal{K}}_E\times {\mathcal{K}}_E=\mathcal{K}$, and ${\mathcal{K}}_{\mathbf{E}}={\mathcal{K}}_E\times {\mathcal{K}}_E$.

$\mathbf{F}$ takes a key $K_{\mathbf{F}}=(L,K_1,K_2)\in {\mathcal{K}}_{\mathbf{F}}$, a nonce $N\in \mathcal{N}$, associated data $A\in \mathcal{H}$, and a message $M\in \mathcal{M}$ as the input and returns an authentication tag $T=\mathbf{F}(K_{\mathbf{F}},N,A,M)=F_{B_2}^{SoP}(K,N,A,M)$. $\mathbf{E}$ takes the key $K_{\mathbf{E}}=(K_1,K_2)\in {\mathcal{K}}_{\mathbf{E}}$, the nonce $N\in \mathcal{N}$, the authentication tag $T\in \mathcal{T}$, and the message $M\in \mathcal{M}$ as the input, computes a key-stream $S=CT{R}_{K_{\mathbf{E}}}^{SoP}(N,T,m)$, and then encrypts M to return the corresponding ciphertext $C=\mathbf{E}(K_{\mathbf{E}},N,T,M)=M\oplus ms{b}_{\left|M\right|}\left(S\right)$.

According to Lemma 4, the nAE security of GCM-SIV1.5 can be decomposed into the PRF security of $\mathbf{F}$ and the nE security of $\mathbf{E}$. Therefore, we have the following lemmas.

The security proof of Lemma 5 is the same as that of Theorem 4 in the study by Chen et al. [27]. The security proof of Lemma 6 is shown in Section 7.

By combining Lemmas 4–6, we present the security of GCM-SIV1.5 as follows.

Theorem 1 shows that, if the underlying block cipher E is a secure PRP and $ϵ=2^{-n}$, GCM-SIV1.5 offers BBB nAE security up to approximately $\frac{3n}{4}$-bit query complexity and approximately n-bit forgery attempts for $\mu$-nonce faulty adversaries with $\mu \le 2^{\frac{n}{4}}$.

7. Proofs of Lemma 6

The proof is similar to that of Theorem 4 in Chen et al. [27]. Let $K_1,K_2\twoheadleftarrow {\mathcal{K}}_E$. The adversary $\mathcal{A}$ makes q encryption queries $(N^1,T^1,m^1),\cdots ,(N^q,T^q,m^q)$ to the real world $\mathbf{E}$ or the ideal world R (R is an ideal version of $\mathbf{E}$ and always random strings) and returns $S^1,S^2,\cdots ,S^q$, and then encrypts plaintexts $M^1,\cdots ,M^q$ to obtain ciphertexts $C^1=M^1\oplus ms{b}_{|M^1|}\left(S^1\right),\cdots ,$$C^q=M^q\oplus ms{b}_{|M^q|}\left(S^q\right)$. First, we replace $E_{K_1}$ and $E_{K_2}$ with two independent random permutations $P_1$ and $P_2$, and the replacements cost us $Ad{v}_E^{prp}\left({\mathcal{A}}_1\right)+Ad{v}_E^{prp}\left({\mathcal{A}}_2\right)$, where ${\mathcal{A}}_1$ and ${\mathcal{A}}_2$ are PRP adversaries against the underlying block cipher. Then, we consider $Ad{v}_{\mathbf{E}[P_1,P_2]}^{nE}\left(\mathcal{A}\right)$. Let $\tau =\{(N^1,T^1,m^1,S^1),\cdots ,(N^q,T^q,m^q,S^q)\}$. Let $X_{re}$ be the random variable interacting with the real world $X=\mathbf{E}[P_1,P_2]$ and $Y_{id}$ be the random variable interacting with the ideal world $Y=R$.

For the real world, the transcript with q queries corresponds to the following mirror system of bi-variate equations:

$\begin{array}{c}\hfill {\mathcal{E}}^{=}\left\{\begin{array}{cc}\hfill & P_1(T^1+1)\oplus P_2(N^1\left|\right|{\left[1\right]}_{\frac{n}{4}})=S_1^1\hfill \\ \hfill & P_1(T^1+2)\oplus P_2(N^1\left|\right|{\left[2\right]}_{\frac{n}{4}})=S_2^1\hfill \\ \hfill & \cdots \cdots \cdots \cdots \cdots \hfill \\ \hfill & P_1(T^1+m^1)\oplus P_2(N^1\left|\right|{\left[m^1\right]}_{\frac{n}{4}})=S_{m^1}^1\hfill \\ \hfill & \cdots \cdots \cdots \cdots \cdots \hfill \\ \hfill & P_1(T^q+1)\oplus P_2(N^q\left|\right|{\left[1\right]}_{\frac{n}{4}})=S_1^q\hfill \\ \hfill & P_1(T^q+2)\oplus P_2(N^q\left|\right|{\left[2\right]}_{\frac{n}{4}})=S_2^q\hfill \\ \hfill & \cdots \cdots \cdots \cdots \cdots \hfill \\ \hfill & P_1(T^q+m^q)\oplus P_2(N^q\left|\right|{\left[m^q\right]}_{\frac{n}{4}})=S_{m^q}^q\hfill \end{array}\right.\end{array}$

Let $V_1$ be the set of vertices $X_{1,1},\cdots ,X_{q,m^q}$, $V_2$ be the set of vertices $Y_{1,1},\cdots ,Y_{q,m^q}$, $E=\{e_{i,j}=(X_{i,j},Y_{i,j}),j\in \left[m^i\right],i\in \left[q\right]\}$, and $W:E\to {\{0,1\}}^n$. The above mirror system $\{X_{i,j}\oplus Y_{i,j}={\lambda }_{i,j},j\in \left[m^i\right],i\in \left[q\right]\}$ with a transcript $\tau$ can be described as an undirected weighted bipartite graph $G^{\tau }=<V_1,V_2,E,W>$. As T is random, there exist collisions in $X_{i,j}=P_1(T^i+j)$ for any $j\in \left[m^i\right],i\in \left[q\right]$. Let m be the maximum block of the plaintext. According to the fact that the nonce is $\mu$-fault, $V_2$ is $\mu ·m$-fault.

In order to utilize the mirror theory, we first define a bad transcript.