GCM with Strong Secure Tags (GCM-SST) for AES and Rijndael-256-256

[John Preuß Mattsson]

Hi,

 

We made quite a lot of updates to GCM-SST that was presented at the 2023 Accordion workshop:

- Changed name to Strong Secure Tags to better illustrate that GCM-SST is intended to improve security for all tag lengths.

- Added that GCM-SST is designed for unicast security protocols with replay protection.

- Introduced invocation constraints Q_MAX and V_MAX.

- Updated info on ETSI and 3GPP standardization of GCM-SST.

- Added Rijndael-256-256 in addition to just AES

- Significantly updated the security considerations.

- Added formulas for expected number of forgeries.

- Added 96- and 112-bit tags with A_MAX and P_MAX that make them behave like ideal tags in unicast QUIC.

- New section comparing AES-GCM-SST with ChaCha20-Poly1305 and AES-GCM.

 

   +============+=======+==============+=============+=================+

   | Name       |    Tag|      Forgery |     Forgery | Expected number |

   |            | length|  probability | probability |    of forgeries |

   |            |(bytes)|       before | after first |                 |

   |            |       |        first |     forgery |                 |

   |            |       |      forgery |             |                 |

   +============+=======+==============+=============+=================+

   | GCM_SST_14 |     14|    1 / 2^112 |   1 / 2^112 |       v / 2^112 |

   +------------+-------+--------------+-------------+-----------------+

   | GCM_SST_12 |     12|     1 / 2^96 |    1 / 2^96 |        v / 2^96 |

   +------------+-------+--------------+-------------+-----------------+

   | POLY1305   |     16|     1 / 2^91 |    1 / 2^91 |        v / 2^91 |

   +------------+-------+--------------+-------------+-----------------+

   | GCM        |     16|    1 / 2^116 |           1 | δ ⋅ v^2 / 2^117 |

   +------------+-------+--------------+-------------+-----------------+

 

Table 3: Comparison between AES-GCM-SST, ChaCha20-Poly1305, and AES-GCM in unicast QUIC, where the maximum packet size is 65536 bytes.

 

No changes to the test vectors, the main algorithm is the same.

https://www.ietf.org/archive/id/draft-mattsson-cfrg-aes-gcm-sst-13.html

 

Inoue, Jha, Mennink, and Minematsu proved that GCM-SST is a provably secure authenticated encryption mode, with security guaranteed for evaluations under fresh nonces, even if some earlier nonces have been reused.

https://eprint.iacr.org/2024/1928.pdf

 

I think using the ideas of Nyberg, Gilbert, and Robshaw [2] of using two keys, that are used in GCM-SST [3] and all other universal hash functions in mobile networks, should be used for the new Poly-MACs presented by Degabriele, Gilcher, Govinden and Paterson at the 2024 Accordion workshop. 

https://csrc.nist.gov/csrc/media/Presentations/2024/universal-hash-designs-for-an-accordion-mode/images-media/sess-7-degabriele-acm-workshop-2024.pdf

 

I think it is important to strive for MACs that behaves like ideal MACs. Users and implementors of cryptography expect algorithms to behave like ideal MACs. Universal hash functions can be designed to behave like ideal MACs in unicast security protocols with replay protection. 

https://mailarchive.ietf.org/arch/msg/cfrg/uTqtQ7u5WWKNv7vBQCBHC178_AQ/

 

Cheers,

John Preuß Mattsson