GCM-SIV1.5: Optimal Tradeoff between GCM-SIV1 and GCM-SIV2

GCM-SIV2 is a nonce-based beyond-birthday-bound (BBB)-secure authenticated encryption (AE) mode introduced by Iwata and Minematsu at FSE 2017. However, it is built by combining two instances of GCM-SIV1 and needs eight keys, which increases the costs of hardware and software implementation. This paper aims to reduce these costs by optimizing components (such as key materials, hash calls, and block cipher calls) and proposes an optimal tradeoff between GCM-SIV1 and GCM-SIV2 called GCM-SIV1.5. Moreover, we introduce the faulty nonce setting to AE and prove the BBB security of GCM-SIV1.5 with graceful security degradation in the faulty nonce setting by mirror theory. Finally, we discuss advantages of GCM-SIV1.5.


Introduction
The Galois Counter Mode (GCM) of operation introduced by McGrew and Viega is a very famous authenticated encryption (AE) mode [1]. Due to its friendly hardware implementation, superior software performance, no patent, and provable security, it has been widely used in high-speed network application environments. For example, GCM with the Advanced Encryption Standard (AES) has been used in IETF Transport Layer Security protocol TLS 1.3. Now, GCM has been included in the recommendations of NIST, ISO/IEC, IEEE, and IETF. As GCM is widely deployed, the CAESAR competition takes it as the baseline algorithm, which further promotes the research of GCM. There exist a large number of research results related to GCM [1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16].
GCM is a nonce-based AE mode. It takes a nonce as an extra input and requires that the nonce used in the encryption oracle is distinct (nonce-respecting setting). If the nonce length is restricted to 96 bits, GCM is provably birthday-bound secure up to approximately 2 n/2 adversarial queries in the nonce-respecting setting [3,5], where n is the block-size of the underlying block cipher.
However, the nonce-respecting assumption does not fit the actual situation. The nonce is often misused in real life, bringing serious security threats. Joux found that, if the nonce is misused, then the hash key of GCM can be leaked and the leaked hash key can be utilized to achieve a universal forgery attack [2]. To settle the nonce misuse problem of GCM at little cost, Gueron and Lindell introduced a nonce-misuse-resistant AE (NMAE or MRAE) scheme GCM-SIV at CCS 2015 [11]. GCM-SIV covers GCM components and follows the SIV approach by Rogaway and Shrimpton [17]. In fact, as the syntax and the security model of NMAE became formalized, more and more NMAE schemes were proposed, such as [11][12][13][14][15][16][17][18][19][20][21][22][23]. GCM-SIV is just the first NMAE scheme that introduces SIV into GCM. GCM-SIV is proven secure even if the nonce is repeated. In 2016, Iwata and Minematsu pointed out that there exists a trivial distinguishing attack with approximately 2 (n−k)/2 adversarial queries in GCM-SIV, where k is the bits of keys, and then presented an improved variant of GCM-SIV, called GCM-SIV1, which is proven secure up to 2 n/2

1.
From the point of view of the design, we introduce a BBB-secure sum of permutation (SoP) construction to encryption and authentication parts of GCM-SIV1.5, which makes GCM-SIV1.5 BBB secure. GCM-SIV1.5 follows "MAC-then-Encrypt" (MtE). The authentication part of GCM-SIV1.5 utilizes the construction F SoP B2 proposed by Chen et al. [27] to ensure BBB security, and the encryption part of GCM-SIV1.5 is generated by SoP-based counter mode with an initial vector and a nonce CTR SoP to provide BBB security. Moreover, to minimize costs of key management and implementation on software and hardware, and to maximize the running speed, GCM-SIV1.5 just utilizes two block cipher keys and a hash key, invokes a hash function and twice plaintext blocks, and generates an authentication tag. More importantly, all encryption operations involving the nonce can be carried out offline, which saves half of the online computing resources.

2.
From the point of view of the security, we prove that GCM-SIV1.5 enjoys BBB security with graceful degradation in the nonce faulty setting by using mirror theory, alternating events lemma, and the H-coefficient technique. Assuming that the underlying block cipher is a secure pseudorandom permutation (PRP) and the hash function is XOR-universal, then GCM-SIV1.5 is proven secure up to approximately 3n/4-bit query complexity and approximately n-bit forgery attempts for µ-nonce faulty adversaries with µ ≤ 2 n/4 . In the real world, if the underlying block cipher is instantiated with AES-128, then GCM-SIV1.5 achieves, at most, approximately 96-bit security for µ-nonce faulty adversaries with µ ≤ 2 32 .
In order to better demonstrate the superiority of our design, we give a fair and thorough comparison between GCM-SIV1.5 and existing typical blockcipher-based AE schemes from the following aspects: the depended assumption (PRP means pseudorandom permutation, PRF means pseudorandom function, TPRP means tweakable PRP, and ICM means ideal cipher model), the number of the encryption keys (#Encryption keys), the number of the hash keys (#Hash keys), the number of the underlying primitive (block cipher) calls (#Primitive calls), the number of the hash calls (#Hash calls), the sizes of the authentication tag and nonce, security bound under the nonce-respecting scenario (NR security), security bound under the nonce misuse scenario (NM security), and graceful degradation. The details are shown in Table 1. Compared with GCM-SIV, GCM-SIV1, GCM-SIV2, and GCM-SIVr, GCM-SIV1.5 utilizes fewer keys, fewer blockcipher and hash calls, and shorter sizes, provides a better security bound, and supports graceful security degradation. Therefore, GCM-SIV1.5 reduces the costs of key management and communication throughput, increases the running speed, and ensures a graceful security. Compared with CWC+, GCM-SIV1.5 provides a better security bound and supports fully faulty nonce misuse resistance and graceful security degradation for both privacy and authenticity. Compared with SCM, GCM-SIV1.5 saves an encryption key, supports offline operations involving the nonce's encryption, and saves half of the online computing resources. In a word, our design has an excellent comprehensive performance. Table 1. Comparison between GCM-SIV1.5 and existing typical nonce-based AE schemes, where PRP means pseudorandom permutation, PRF means pseudorandom function, TPRP means tweakable PRP, ICM means ideal cipher model, # means counting, m is blocks of the plaintext, a is blocks of associated data, and n is the block-size of the underlying primitive.  [19] n n O(2 n/2 ) O(2 n/2 ) × OCB3 [28] ≤n [12] n n O(2 n/2 ) O(2 n/2 ) × GCM-SIV2 [12] 2n The hash key is the encryption key. 2 The hash function is achieved by invoking a underlying primitives. 3 The encryption key is generated by invoking a key derivation function. 4 The hash key is generated by invoking a key derivation function. 5 The hash key is generated by the encryption key. 6 This security bound is just that of authenticity. The privacy of CWC+ is insecure in the nonce misuse setting.
The rest of this paper is organized as follows. Section 2 presents some preliminaries. Section 3 introduces mirror theory and its graph description. Section 4 shows the decomposition of nAE security. Section 5 described GCM-SIVr. Section 6 proposes our construction, GCM-SIV1.5. Section 7 derives the security proof. Section 8 concludes this paper.

Preliminaries
Notations. Some notations are described in Table 2. Table 2. Descriptions of notations.

Notations Descriptions
⊕ the bitwise exclusive or (XOR) + addition modulo 2 n · the multiplication over the finite field || the concatenation of strings {0, 1} * a set of all strings (including an empty string) {0, 1} n a set of all strings whose bit-length is n Perm(n) a set of all permutations whose workspace is n Func(m, n) a set of all functions from m-bit inputs to n-bit outputs K K the key K randomly sampled from the key space K A O = 1 an event where an adversary A outputs 1 after interacting with the oracle O [i] m an m-bit binary representation of an integer i [r] a set of consecutive integers {1, 2, · · · , r} |X| the number of elements in the set X (2 n ) q 2 n · (2 n − 1) · · · (2 n − q + 1)

Nonce-Based Authenticated Encryption (nAE).
A nonce-based authenticated encryption (nAE) with associated data scheme Π = (K, E , D) consists of an encryption algorithm E and a decryption algorithm D, where K is a non-empty set of keys. Let K ∈ K. The encryption algorithm E takes a key K, a nonce N, associated data A, and a message M as the input and outputs a ciphertext and an authentication tag (C, T) = E K (N, A, M). The decryption algorithm D takes a key K, a nonce N, associated data A, a ciphertext C, and an authentication tag T as the input and outputs a message or a reject symbol M/⊥ = D K (N, A, C, T). Here, D K (N, A, E K (N, A, M)) = M. An nAE adversary A has access to encryption and decryption oracles (E K , D K ) or random and reject oracles ($, ⊥), whose goal is to distinguish them. The random oracle $ takes (N, A, M) as the input and always outputs random strings (C, T) {0, 1} |M|+|T| . The reject oracle ⊥ takes (N, A, C, T) as the input and always outputs a reject symbol ⊥. The nAE advantage of A against Π is defined as We assume that A makes q encryption queries (N 1 , A 1 , M 1 ), · · · , (N q , A q , M q ) to E K and returns (C 1 , T 1 ), · · · , (C q , T q ), and then makes q v forgery attempts (N 1 , For a nonce-based AE scheme, we call an AE query a faulty query if A has already queried its oracle with the same nonce, and assume that A can be allowed to make, at most, µ faulty queries. Then, µ = 0 (N 1 , · · · , N q are distinct) corresponds to the nonce-respecting setting and µ ≥ 1 (there exists at least one collision in N 1 , · · · , N q ) corresponds to the nonce misuse setting.

Nonce-Based Encryption (nE).
consists of an encryption algorithm E − E and a decryption algorithm E − D. The encryption algorithm E − E takes a key K E , a nonce N, associated data A, and a message M as the input and outputs a ciphertext C = E − E K E (N, A, M). The decryption algorithm E − D takes a key K E , a nonce N, associated data A, and a ciphertext C as the input and outputs a message An nE adversary A has access to encryption oracle E − E K E or a random oracle $, whose goal is to distinguish them. The random oracle $ takes (N, A, M) as the input and always outputs random strings C {0, 1} |C| . We define the nE-advantage of A as

Pseudo-Random Function (PRF). Let
where K F is a non-empty set of keys. It takes K ∈ K F and X ∈ {0, 1} m as the input, and returns Y = F K (X) ∈ {0, 1} n . Let R Func(m, n). A PRF adversary A has access to encryption oracle F K or a random oracle R, whose goal is to distinguish them. The PRF advantage of an adversary A is defined as

Pseudo-Random Permutation (PRP). Let
where K E is a non-empty set of keys. It takes a key K ∈ K E and a plaintext block M ∈ {0, 1} n as the input, and returns a ciphertext block C = E K (M). For each key K ∈ K E , the function E K : {0, 1} n → {0, 1} n is a permutation, i.e., E K ∈ Perm(n). Let P Perm(n). A PRP adversary A has access to encryption oracle E K or a random permutation oracle P, whose goal is to distinguish them. The PRP advantage of an adversary A is defined as

AXU Hash Functions
then H is called almost XOR universal ( -AXU). If = 2 −n , H is called an XOR universal (XU) hash function.
Alternating Events Lemma [26,27,30]. For bounding the probability of an alternating event, such as the alternating events lemma is a vital technique in the security proofs.
Lemma 1 (Alternating Events Lemma [26,27,30]). Let q i , q j , q k , q l , q such that q i , q j , q k , q l ≤ q. Let X q = (X 1 , · · · , X q ) be a q-tuple of random variables, and let X q i , , let E i,j be events associated with X i ∈ X q i and X j ∈ X q j , possibly dependent, which all hold with a probability of, at most, .
, let F i,j,k,l be events associated with X i ∈ X q i , X j ∈ X q j , X k ∈ X q k and X l ∈ X q l , which all hold with a probability of, at most, . Moreover, the collection of events

H-coefficient Technique [31].
Patarin's H-coefficient technique is one of the very useful approaches to upper bound the distinguishing advantage of a cryptographic scheme. Given a real system X and an ideal system Y, let A be a deterministic adversary whose goal is distinguish X from Y. A interacts with X and Y and a series of query-response pairs are recorded as a transcript τ. Let T be the set of all possible transcripts. Let X re be the random variable interacting with the real system X and Y id be the random variable interacting with the ideal system Y. Then, the H-coefficient lemma is presented as follows.
If an adversary makes q queries to an oracle O and obtains a transcript τ = {(x 1 , y 1 ), · · · , (x q , y q )}, then we say that the oracle O extends the transcript τ and write it as O τ,

Mirror Theory
Patarin's mirror theory is a vital tool for bounding the number of solutions of affine systems of multivariate equations or non-equations, which can be applied in the security proofs of BBB-secure cryptographic schemes [27,[32][33][34][35]. Here, we consider an affine system of bi-variate equations.
Let G =< V 1 , V 2 , E, W > be a bipartite graph satisfying the following affine system of bi-variate equations E : 1} n for any i and j, and let the vertex sets V 1 , V 2 , the edge set E, and the weighted (labeled) function W be We assume that G can be divided into α components with more than two vertexes and β components with just two vertexes, i.e., For a bipartite graph G, we say that G is good if it satisfies the following conditions: • Acylic. G must contain no cycle. • Non-zero path label (NPL). W(P ) = 0 for all paths P with an even length in the graph G, where W(P ) = ∑ e∈P W(e).

Lemma 3 (Bipartite Graph
Description of Mirror Theory [27,35]). Let G =< V 1 , V 2 , E, W > be a good bipartite graph induced by E , and |V 1 | = q ≤ q, |V 2 | = q ≤ q, |E| = q. Let q c be the total edges of components with more than two vertexes. Then, the number of solutions to E that are chosen from {0, 1} n is at least

Decomposition of nAE Security
Namprempre et al. explored the generic composition of nAE and revealed the decomposition of nAE (security) from IV-based or nonce-based encryption and an MAC [36]. Now, let us focus on N3 type nAE schemes.
An N3 type nAE scheme Π = (K, E , D) consists of a PRF F and an nE scheme E, where K is the key space, E is the encryption algorithm, and D is the decryption Type N3 nAE is secure if its tag generation function is a PRF and if the nE scheme is secure [36]. We assume that an adversary A makes, at most, q encryption queries and q v forgery attempts; then, the security of Π is shown in the following lemma.
Lemma 4 (Decomposition of nAE Security [36]). Let F : K F × N × H × M → T be a tag generation function and E : K E × N × T × M → C be an nE scheme, where T = {0, 1} τ . Let Π = (K, E , D) be an N3 type nAE scheme constructed by F and E. Let A be an nAE-adversary. Then, there are two adversaries, B and C, such that The above lemma shows that the security proofs of nAE schemes are reduced to the security proofs of the PRF and the nE scheme.

Algorithm 3
The decryption algorithm: D Input: a key K, a nonce N, associated data A, a ciphertext C, and a tag T Output: a plaintext M or ⊥

Algorithm 4 GHASH algorithm: GH ASH L (A, M)
Input: a key L, associated data A, and a plaintext M Output: a hash value h A + ← A||0 n−|A| mod n , M + ← M||0 n−|M| mod n Algorithm 5 CTR algorithm: CTR K (T, m) Input: a key K, an initial vector T, and the number of plaintext blocks m Output: a key stream S S 1 = E K (T) for i = 2 to m do S i ← E K (T + i − 1) endfor return S = S 1 || · · · ||S m 6. GCM-SIV1. 5

Specific Description of GCM-SIV1.5
Both GCM-SIV1 and GCM-SIV2 are nonce-based authenticated encryption with associated data modes by combining a PRF and an ivE scheme. GCM-SIV1 enjoys birthday-bound security up to almost 2 n/2 adversarial queries by using an n-bit authentication tag. GCM-SIV2 utilizes two instances of GCM-SIV1 to achieve beyond-birthday-bound (BBB) security by increasing the number of keys, authentication tags, and block ciphers. However, these methods greatly affect the implementation cost and operation efficiency of cryptographic algorithms. In real life, cryptographic algorithms that provide BBB security, as low as possible hardware and software implementation costs, and high enough operational efficiencies are much more desirable.
Given an -AXU-hash function H : K H × N × H × M → {0, 1} n and a block cipher E : K E × {0, 1} n → {0, 1} n , where K H and K E are two non-empty sets of keys, and n is the block-size, we construct a new two-pass parallelizable nAE mode, GCM-SIV1.5. GCM-SIV1.5 is an optimal tradeoff between GCM-SIV1 and GCM-SIV2 for supporting BBB security with graceful degradation, as low as possible hardware and software implementation costs, and high enough operational efficiencies in nonce-faulty settings. We introduce a sum of permutation (SoP) construction to encryption and authentication parts of GCM-SIV1.5, which makes GCM-SIV1.5 BBB-secure. The authentication part of GCM-SIV1.5 is generated by F SoP B 2 , which ensures BBB security. The encryption part of GCM-SIV1.5 is generated by CTR SoP with an initial vector and a nonce, which ensures BBB security.
The overview of GCM-SIV1.5 is illustrated in Figure 1. GCM-SIV1.5 consists of a key generation algorithm KG, an encryption algorithm E , and a decryption algorithm D. The key generation algorithm KG takes a key parameter k as the input and returns a key K = (K 1 , K 2 , L) (two encryption keys K 1 , K 2 and a hash key L) from an entropy pool of a set of keys K = (K E , K E , K H ) = {0, 1} k . The encryption algorithm E takes a key K = (K 1 , K 2 , L), a nonce N, associated data A, and a plaintext M as the input, invokes the tag generation algorithm F SoP B 2 and CTR with the SoP algorithm CTR SoP , and outputs the corresponding ciphertext and authentication tag (C, T) = E K (N, A, M). The decryption algorithm D takes a key K = (K 1 , K 2 , L), a nonce N, associated data A, a ciphertext C, and an authentication tag T as the input, invokes the tag generation algorithm and CTR with the SoP algorithm CTR SoP are described in Algorithms 9 and 10.

Algorithm 6
The key generation algorithm: KG Input: a key parameter k Output: a key K = (K 1 ,

Algorithm 7
The encryption algorithm: E Input: a key K = (K 1 , K 2 , L), a nonce N, associated data A, and a plaintext M Output: a ciphertext C and a tag T

Algorithm 8
The decryption algorithm: D Input: a key K = (K 1 , K 2 , L), a nonce N, associated data A, a ciphertext C, and a tag T Output: a plaintext M or ⊥ Algorithm 10 CTR with SoP algorithm: CTR SoP K 1 ,K 2 (N, T, m) Input: a key K = (K 1 , K 2 ), a nonce N, an initial vector T, and the number of plaintext blocks m Output: a key stream S for We present the information-theoretic security of GCM-SIV1.5 under the assumption that the underlying block cipher is a secure pseudorandom permutation.
GCM-SIV1.5 is an N3 type nAE scheme (and it can also be seen as an A7 type nAE scheme); therefore, it can be decomposed into a PRF F and an nE scheme E, where F : F takes a key K F = (L, K 1 , K 2 ) ∈ K F , a nonce N ∈ N , associated data A ∈ H, and a message M ∈ M as the input and returns an authentication tag T = F(K F , N, A, M) = F SoP B 2 (K, N, A, M). E takes the key K E = (K 1 , K 2 ) ∈ K E , the nonce N ∈ N , the authentication tag T ∈ T , and the message M ∈ M as the input, computes a key-stream S = CTR SoP K E (N, T, m), and then encrypts M to return the corresponding ciphertext According to Lemma 4, the nAE security of GCM-SIV1.5 can be decomposed into the PRF security of F and the nE security of E. Therefore, we have the following lemmas.

Lemma 5. Let
A be an µ-fault adversary and H L be -AXU. Let µ ≤ q 1 3 . If A makes at most q ≤ 2 3n/4 queries, then there exist adversaries A 1 and A 2 with the same query complexity against the block cipher E such that Adv pr f Lemma 6. Let A be an µ-fault adversary that makes at most q ≤ 2 3n/4 queries and generates at most σ blocks, and let µ ≤ q 1 3 and m be the maximum block of the plaintext; then, there exist adversaries A 1 and A 2 with the same query complexity against the block cipher E such that The security proof of Lemma 5 is the same as that of Theorem 4 in the study by Chen et al. [27]. The security proof of Lemma 6 is shown in Section 7.
By combining Lemmas 4-6, we present the security of GCM-SIV1.5 as follows.
Theorem 1. Let A be an µ-fault adversary and H L be -AXU. Let µ ≤ q 1 3 and m be the maximum block of the plaintext. If A makes at most q ≤ 2 3n/4 queries and generates at most σ blocks, then there exist adversaries A 1 and A 2 with the same query complexity against the block cipher E such that Theorem 1 shows that, if the underlying block cipher E is a secure PRP and = 2 −n , GCM-SIV1.5 offers BBB nAE security up to approximately 3n 4 -bit query complexity and approximately n-bit forgery attempts for µ-nonce faulty adversaries with µ ≤ 2 n 4 .

Proofs of Lemma 6
The proof is similar to that of Theorem 4 in Chen et al. [27]. Let K 1 , K 2 K E . The adversary A makes q encryption queries (N 1 , T 1 , m 1 ), · · · , (N q , T q , m q ) to the real world E or the ideal world R (R is an ideal version of E and always random strings) and returns S 1 , S 2 , · · · , S q , and then encrypts plaintexts M 1 , · · · , M q to obtain ciphertexts C 1 = M 1 ⊕ msb |M 1 | (S 1 ), · · · , C q = M q ⊕ msb |M q | (S q ). First, we replace E K 1 and E K 2 with two independent random permutations P 1 and P 2 , and the replacements cost us Adv prp E (A 1 ) + Adv prp E (A 2 ), where A 1 and A 2 are PRP adversaries against the underlying block cipher. Then, we consider Adv nE E[P 1 ,P 2 ] (A). Let τ = {(N 1 , T 1 , m 1 , S 1 ), · · · , (N q , T q , m q , S q )}. Let X re be the random variable interacting with the real world X = E[P 1 , P 2 ] and Y id be the random variable interacting with the ideal world Y = R.
In order to utilize the mirror theory, we first define a bad transcript.

Definition 1 (Bad Transcript).
A transcript τ is called bad if one of the following events occurs: • G τ covers a circle of length 2 or a path of length 2 such that the weight of this path is zero.
-B1: There exist distinct i, k ∈ [q] such that X i,j = X k,l and Y i,j = Y k,l , where j ∈ [m i ], l ∈ [m k ], i.e., T i + j = T k + l and N i ||[j] n 4 = N k ||[l] n 4 (it implies j = l). -B2: There exist distinct i, k ∈ [q] such that X i,j = X k,l and λ i, (it implies j = l) and S i j ⊕ S k l = 0. • G τ covers a path of length 4 starting at the Y-shore, or a path of length 4 starting at the X-shore such that the weight of this path is zero (this condition satisfies the fact that G τ covers a circle of length 4 or a path of length 4 such that the weight of this path is zero).
-B4: There exist distinct i, k, w, y ∈ [q] such that Y i,j = Y k,l , X k,l = X w,x , and • The number of edges in components with a size of more than 2 is q c ≥ q c . Each vertex in the components is associated with two edges in the average case. Let us assume that it may be evenly amortized to the two vertex sets of the bipartite graph.
Next, we upper bound the probability of bad transcripts in the ideal world For B1, the probability that T i + j = T k + l occurs for any fixed i, j, k, l is 2 −n , and the number of pairs (i, k) such that N i ||[j] n 4 = N k ||[l] n 4 is at most µ 2 , where j ∈ [m i ], l ∈ [m k ]; then, we have For B2, the probability that T i + j = T k + l occurs for any fixed i, j, k, l is 2 −n , and the probability that S i j ⊕ S k l = 0 occurs for any fixed i, j, k, l is 2 −n ; then, we have For B3, the probability that S i j ⊕ S k l = 0 occurs for any fixed i, j, k, l is 2 −n , and the number of pairs (i, k) such that N i ||[j] n 4 = N k ||[l] n 4 is at most µ 2 , where j ∈ [m i ], l ∈ [m k ]; then, we have For B4, the probability that T k + l = T w + x occurs for any fixed k, l, w, x is 2 −n and the number of pairs (i, k, w, y) such that for any fixed i = k, w = y is at most 4µ 2 (as the number of queries using any repeated nonce is at most 2µ); then, we have For B5, let F i,j,k,l,w,x,y,z : λ i,j ⊕ λ k,l ⊕ λ w,x ⊕ λ y,z = 0, the probability that E i,j,k,l : T i + j = T k + l occurs for any fixed i, j, k, l be 2 −n (the same for E w,x,y,z : T w + x = T y + z), and the probability that F i,j,k,l,w,x,y,z occurs for any fixed i, j, k, l, w, x, y, z be 2 −n . According to alternating event lemma and σ = mq, we have For B6, according to Markov's inequality, the probability of B6 is upper bounded by In order to obtain 3n 4 -bit security, we choose q c = 4σ 2 3 . Then, For B7, as µ 2 < q 2 3 ≤ σ 2 3 = q c /4, the probability of B7 being upper bounded by To summarize, the probability of bad transcripts is Then, we consider the ratio Pr [Y=τ] between the real world X and the ideal world Y in the good transcript. In the good transcript, G τ meets (1) acyclic, (2) NPL, and (3) q c ≤ q c = 4σ 2 3 . Let q = |V 1 | and q = |V 2 |; according to the mirror theory, the number of solutions is at least In the real world X, we have In the ideal world Y, we have Therefore, the ratio between Pr[X = τ] and Pr[Y = τ] is So far, we have completed the proof of Lemma 6.

Discussions and Conclusions
GCM-SIV1.5 is one of the favored generic nAE constructions described in [36], which combines a PRF F and an nE or ivE scheme E. Here, the PRF F is a BBB-secure F SoP B2 scheme and the nE scheme E is a BBB-secure CTR SoP scheme. GCM-SIV1.5 offers an optimal tradeoff to GCM-SIV1 and GCM-SIV2 for supporting BBB security, as low as possible implementation costs, and high enough operational efficiencies. From the perspective of the security strength, if the underlying block cipher E is a secure PRP and = 2 −n , GCM-SIV1.5 offers approximately 3n/4-bit nAE security for µ-fault nonce-misusing adversaries and supports graceful security degradation, which is better than those of GCM-SIV1 and GCM-SIV2. From the perspective of implementation costs, compared with GCM-SIV2 and GCM-SIVr, GCM-SIV1.5 utilizes fewer keys (just two block cipher keys and a hash key) and lower storage and communication costs or throughput (just n-bit authentication tag). From the perspective of operational efficiencies, GCM-SIV1.5 utilizes just a hash function call and two plaintext blocks calls. More importantly, all encryption operations involving the nonce can be carried out offline, which saves half of the online computing resources. To sum up, our design achieves the optimal tradeoff to GCM-SIV and GCM-SIVr from the security strength, implementation costs, and software performance aspects.
In order to further demonstrate the superiority of our design, Table 1 shows a fair and thorough comparison between GCM-SIV1.5 and other similar schemes. Compared with CWC+, GCM-SIV1.5 provides a better security bound and supports fully faulty nonce misuse resistance, but the number of the encryption keys and the number of the block cipher calls are slightly inferior. Compared with SCM, GCM-SIV1.5 saves an encryption key, supports offline operations involving the nonce's encryption, and saves half of the online computing resources, but other aspects, such as the number of block cipher calls, nonce size, and security bound, are slightly inferior. Besides that, SCM utilizes the finite field multiplication operations in the encryption part, although these multiplication operations can be quickly calculated using the double point technique. However, our design just utilizes some XOR and finite field addition operations.
GCM-SIV1.5 utilizes three keys. A natural future direction is to reduce the number of keys and to obtain a single-key BBB-secure variant. Besides that, GCM-SIV1.5 utilizes two plaintext blocks calls. Another future direction is to decrease the invocations of block ciphers and to improve the operational efficiencies. Our security is based on the condition that µ ≤ 2 n/4 . We leave considering the case of µ > 2 n/4 as an open problem. Informed Consent Statement: Not applicable.

Data Availability Statement:
The data used to support the findings of the study are available within the article.