Skip to content

GCM SIV

AES-GCM-SIV

  • Better nonce Reuse resistance

AES-GCM-SIV derives two distinct keys from the nonce and key, then uses POLYVAL (which is related to GHASH) over the AAD and message with the first key to generate the tag. Then the tag used to derive a series of AES inputs that, when encrypted with the second key, are XORed with the blocks of the message (basically counter mode). (MAC then Encrypt)

https://www.imperialviolet.org/2017/05/14/aesgcmsiv.html
https://news.ycombinator.com/item?id=19693434

It is very similar to AES-SIV but instead of CMAC it uses GCM.

Implementation

message = b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

#Generate the GCM Key using the encryption_key and null data
auth_key = aes.ecb_encryption(b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
gmac = GMAC(auth_key)

# IV is 96 bytes
iv = bytes.fromhex("000000000000000000000000")
#Encrypt plaintext in Counter Mode
ciphertext = aes.ctr_encryption(iv, message)

#Use the IV as Additional authenticated data (AAD)
#So if the iv changes then the tag changes
tag_iv = gmac.digest(b"", ciphertext)

#Then Encrypt the new data with the 
tag = aes.ctr_encryption(tag_iv, tag)

print(f"auth_key: {auth_key.hex()}, tag_iv: {tag_iv.hex()}, iv: {iv.hex()}, ciphertext: {ciphertext.hex()}, tag: {tag.hex()}")
#auth_key: aa1908ba6ab97a18ea6349b72eb1ba15, tag_iv: 00000000000000000000000000000000, iv: 000000000000000000000000, ciphertext: aa1908ba6ab97a18ea6349b72eb1ba15, tag: d387e6b9293ead8758976e85dd9e064b