Misplaced Pages

AES-GCM-SIV

Article snapshot taken from[REDACTED] with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Authenticated encryption mode with resistance against nonce reuse

AES-GCM-SIV is a mode of operation for the Advanced Encryption Standard which provides similar (but slightly worse) performance to Galois/Counter Mode as well as misuse resistance in the event of the reuse of a cryptographic nonce. The construction is defined in RFC 8452.

About

AES-GCM-SIV is designed to preserve both privacy and integrity even if nonces are repeated. To accomplish this, encryption is a function of a nonce, the plaintext message, and optional additional associated data (AAD). In the event a nonce is misused (i.e., used more than once), nothing is revealed except in the case that the same message is encrypted multiple times with the same nonce. When that happens, an attacker is able to observe repeat encryptions, since encryption is a deterministic function of the nonce and message. However, beyond that, no additional information is revealed to the attacker. For this reason, AES-GCM-SIV is an ideal choice in cases that unique nonces cannot be guaranteed, such as multiple servers or network devices encrypting messages under the same key without coordination.

Operation

Like Galois/Counter Mode, AES-GCM-SIV combines the well-known counter mode of encryption with the Galois mode of authentication. The key feature is the use of a synthetic initialization vector (SIV) which is computed with Galois field multiplication using a construction called POLYVAL (a little-endian variant of Galois/Counter Mode's GHASH). POLYVAL is run over the combination of nonce, plaintext, and additional data, so that the IV is different for each combination.

POLYVAL is defined over GF(2) by the polynomial:

x 128 + x 127 + x 126 + x 121 + 1 {\displaystyle x^{128}+x^{127}+x^{126}+x^{121}+1}

Note that GHASH is defined over the "reverse" polynomial:

x 128 + x 7 + x 2 + x + 1 {\displaystyle x^{128}+x^{7}+x^{2}+x+1}

This change provides efficiency benefits on little-endian architectures.

See also

References

  1. "Webpage for the AES-GCM-SIV Mode of Operation". 31 May 2023.
  2. Gueron, S.; Langley, A.; Lindell, Y. (April 2019). AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption. IETF. doi:10.17487/RFC8452. RFC 8452. Retrieved August 14, 2019.
  3. "How we optimized the AES-GCM-SIV encryption algorithm". Archived from the original on 2023-11-18.

External links

Implementations of AES-GCM-SIV are available, among others, in the following languages:

Block ciphers (security summary)
Common
algorithms
Less common
algorithms
Other
algorithms
Design
Attack
(cryptanalysis)
Standardization
Utilization
Cryptographic hash functions and message authentication codes
Common functions
SHA-3 finalists
Other functions
Password hashing/
key stretching functions
General purpose
key derivation functions
MAC functions
Authenticated
encryption
modes
Attacks
Design
Standardization
Utilization
Cryptography
General
Mathematics
Categories: