Nonce‐misuse resilience of Romulus‐N and GIFT‐COFB

Inoue, Akiko; Guo, Chun; Minematsu, Kazuhiko

doi:10.1049/ise2.12110

Cited by 2 publications

(1 citation statement)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…SIV is roughly as efficient as the general two-pass AE modes (such as CCM), but more resilient to nonce misuse [4]. A large number of MRAE designs followed, such as HBS [5], BTM [6], MR-OMD [7], GCM-SIV [8], AES-GCM-SIV [9], GCM-SIV1 [10], GCM-SIV2 [10], CCM-SIV [11], SAEF [12], and GIFT-COFB [13]. Later, Dutta et al refined nonce misuse and introduced a faulty nonce notion to specify the degree of repeated nonce tolerance [14].…”

Section: Introductionmentioning

confidence: 99%

GCM Variants with Robust Initialization Vectors

Zhang

2023

Mathematics

View full text Add to dashboard Cite

The complexity and isomerization of communication networks have put forth new requirements for cryptographic schemes to ensure the operation of network security protocols. Robust cryptographic schemes have been gradually favored. The robust initialization vector (RIV) instead of the synthetic initialization vector (SIV) was first introduced to support strong security and robust authenticated encryption. This paper first introduces RIV to GCM-SIV1, proposes a robust variant, GCM-RIV1, and proves that it ensures birthday-bound subtle AE (SAE) security and nonce-misuse resistance. Then, to support beyond-birthday-bound (BBB) security with graceful degradation, we introduce another, stronger security variant, GCM-RIV2, and prove that it allows gracefully degrading BBB SAE security in the faulty nonce setting. Finally, the performance of GCM-RIV1 and GCM-RIV2 is discussed and compared.

show abstract