Close to Optimally Secure Variants of GCM

The Galois/Counter Mode of operation (GCM) is a widely used nonce-based authenticated encryption with associated data mode which provides the birthday-bound security in the nonce-respecting scenario; that is, it is secure up to about 2n/2 adversarial queries if all nonces used in the encryption oracle are never repeated, where n is the block size. It is an open problem to analyze whether GCM security can be improved by using some simple operations. This paper presents a positive response for this problem. Firstly, we introduce two close to optimally secure pseudorandom functions and derive their security bound by the hybrid technique. Then, we utilize these pseudorandom functions that we design and a universal hash function to construct two improved versions of GCM, called OGCM-1 and OGCM-2. OGCM-1 and OGCM-2 are, respectively, provably secure up to approximately 2n/67(n-1)2 and 2n/67 adversarial queries in the nonce-respecting scenario if the underlying block cipher is a secure pseudorandom permutation. Finally, we discuss the properties of OGCM-1 and OGCM-2 and describe the future works