crypto-lab-nonce-guard

AES-GCM vs AES-GCM-SIV — nonce misuse resistance compared

A — The Nonce Problem

A1 — What is a nonce?

A nonce (number used once) in AEAD schemes is a per-encryption value that must be unique for every encryption under the same key. It does not need to be secret. AES-GCM uses a 96-bit nonce (12 bytes). The security proof assumes the nonce is never reused.

NIST SP 800-38D calls it an Initialization Vector (IV); RFC 5116 calls it a nonce — same concept.

96-BIT NONCE (12 BYTES)

A2 — Why nonce reuse breaks AES-GCM

Level 1 — Keystream reuse (confidentiality failure)

AES-GCM encrypts by XORing plaintext with a keystream derived from (key, nonce, counter). If the same (key, nonce) pair is used twice:

C₁ = P₁ ⊕ KS
C₂ = P₂ ⊕ KS
C₁ ⊕ C₂ = P₁ ⊕ P₂

The attacker recovers the XOR of the two plaintexts — which often recovers both plaintexts in practice.

Level 2 — Authentication key recovery (integrity failure)

AES-GCM's authentication tag uses a polynomial hash over GF(2¹²⁸) with a key H = AES_K(0¹²⁸). When the same nonce is reused, the attacker can solve for H algebraically from two (ciphertext, tag) pairs. Once H is known, the attacker can forge valid authentication tags for arbitrary ciphertexts — total integrity failure.

tag = GHASH_H(AAD, C) ⊕ E_K(nonce ‖ 0³¹1)

GHASH_H uses H directly, making H recovery from two equations over GF(2¹²⁸) a solvable linear algebra problem.

A3 — The SIV construction (RFC 8452)

AES-GCM-SIV uses a synthetic IV approach:

Derive a message-specific authentication key and encryption key from the (key, nonce)
Compute a tag over the plaintext using POLYVAL (a GF(2¹²⁸) variant defined in RFC 8452)
Use that tag as the IV for AES-CTR encryption

The IV is derived from the plaintext itself. If the same (key, nonce) pair encrypts two different plaintexts, the two IVs differ. Nonce reuse degrades to leaking only whether two plaintexts were identical — not the keystream, not the authentication key.

256-bit Master Key + 96-bit Nonce

Key Derivation (AES-CTR)

128-bit Auth Key (H)

256-bit Encryption Key

POLYVAL(H, AAD, plaintext) ⊕ nonce → Tag

Tag (with MSB cleared) = Synthetic IV → AES-CTR Encryption

B — Live Nonce Reuse Attack Demo

Message 1

Message 2

Use same nonce (attack scenario)

🔓 AES-GCM Vulnerable

Click "Encrypt Both" to begin

🔒 AES-GCM-SIV Resistant

Click "Encrypt Both" to begin

C — Synthetic IV Construction Visualizer

C1 — Key Derivation

AES-GCM-SIV derives per-message keys from the master key and nonce:

256-bit Master Key + 96-bit Nonce

AES-CTR(counter=0) → 128-bit Auth Key

AES-CTR(counter=1,2) → 256-bit Encryption Key

C2 — POLYVAL Authentication

POLYVAL is a GF(2¹²⁸) polynomial hash defined in RFC 8452, using a different field representation than GHASH. The key distinction: POLYVAL's authentication key H is derived per-message from the (key, nonce) pair, not fixed per-key as in AES-GCM's GHASH.

tag = AES_K(POLYVAL(H, AAD, plaintext) ⊕ nonce) & clear MSB

C3 — Tag-as-IV (Interactive)

The 128-bit POLYVAL tag becomes the synthetic IV after clearing one bit (preventing CTR counter overflow into tag space). Changing any byte of plaintext completely changes the tag and therefore the IV.

Enter a message to see the SIV tag change:

D — When to Use Which

D1 — Comparison Table

Comparison of AES-GCM and AES-GCM-SIV properties
Property	AES-GCM	AES-GCM-SIV
Standard	NIST SP 800-38D	RFC 8452
Nonce size	96 bits	96 bits
Nonce reuse consequence	Key recovery + full plaintext XOR	Identical plaintext detection only
Performance	~1 pass	~2 passes (extra POLYVAL)
FIPS approved	Yes	No (as of 2024)
Hardware acceleration	AES-NI + PCLMULQDQ	AES-NI + PCLMULQDQ
Online encryption	Yes	No — must buffer full plaintext
Deployed in	TLS 1.3, QUIC, IPsec	Google internal, QUIC experiments
Recommendation	✅ Nonce uniqueness guaranteed	✅ Nonce uniqueness uncertain

D2 — Decision Guidance

Scenario 1 — Single server, sequential encryption

AES-GCM with a counter nonce is safe. Nonce uniqueness is easy to guarantee. No need for SIV overhead.

Scenario 2 — Distributed system, multiple encryptors

Coordinating nonces across servers is error-prone. AES-GCM-SIV degrades gracefully on accidental reuse. Use SIV or use random 96-bit nonces with AES-GCM (collision risk is low at < 2³² messages per key).

Scenario 3 — Key wrapping and key storage

AES-GCM-SIV is designed for this — short messages, repeated access to the same key, nonce coordination difficult. Google's Tink library uses it for key wrapping.

D3 — Honest Limitations of AES-GCM-SIV

Not FIPS-approved — cannot use in FIPS 140-2/3 contexts
No online encryption — must have full plaintext before starting (not suitable for streaming)
Slightly slower — the extra POLYVAL pass costs roughly 10–20% throughput
Not yet widely deployed — operational experience is thin compared to AES-GCM