Recently, the UK National Cyber Security Centre (NCSC) introduced two authenticated encryption schemes, GLEVIAN and VIGORNIAN (ePrint 2023/1379). They claimed that these constructions achieve nonce-misuse resistance and security under release of unverified plaintext, both in the multi-user setting and in the standard cipher model. Despite their efforts to deliver a simple description with a simple proof, their bottom-up description of the schemes looks overwhelming and misses details (such as the order of subkeys). In this work, we aim to give context to the schemes: we present them in an alternative top-down interpretation, most importantly with a compact description of their umbrella mode VIGLEVORNIAN, clarify certain unexplained design choices, and observe various aspects where the schemes could have been designed more efficiently. Based on these observations, we present a new authenticated encryption mode, overlineVIGLEVORNIAN, that is designed to (i) resemble the UK NCSC description as much as possible while (ii) being more efficient without any sacrifice in security and (iii) using weaker security assumptions (universality of the underlying hash function and PRP-security of the underlying block cipher). We demonstrate that our new umbrella mode overlineVIGLEVORNIAN and its two variants overlineGLEVIAN and overlineVIGORNIAN not only outperform the two UK NCSC modes, but also the comparable block cipher based nonce-misuse resistant authenticated encryption schemes in literature (GCM-SIV and aaa-bbb-ddd).
Bart Mennink (Mon,) studied this question.