1. 9
  1. 4

    Summary: The AES-GCM encryption algorithm has become popular because it provides authenticated encryption (no need to use additional HMAC and no risk of improper HMAC causing trouble) with good performance.

    One requirement of AES-GCM is that you must never reuse the nonce because when two different plaintexts are encrypted with the same key and nonce, the whole encryption may get horribly broken. While this “no nonce reuse” is a strict requirement of AES-GCM, it goes without saying that when something can be misused, it will most certainly be misused.

    The new AES-GCM-SIV addresses this. Even when two plaintext messages are encrypted with the same key and nonce, the only information to be revealed is whether those two plaintexts are identical or not.

    Google’s security expert Adam Langley is one of the authors. In his tweet, he says AES-GCM-SIV would have decent performance too: About 75–90% of AES-GCM.