On the security of authenticated encryption mode with associated data MGM with respect to confidentiality threat

The authenticated encryption mode with associated data MGM was first presented at the CTCrypt'2017 conference and subsequently standardized in documents R 1323565.1.026-2019 of the Russian standardization system and RFC 9058 of the IETF organization. The mode is aimed to protect transmitted data in the TLS 1.3 and IPsec protocols with GOST algorithms. In this paper the security of MGM is estimated in a standard security model used for confidentiality analysis, using a complexity-theoretic approach. In other words, lower security bounds of the mode were obtained assuming the security of the block cipher in the PRP-CPA (PseudoRandom Permutations under Chosen Plaintext Attack) model. The obtained bounds show that MGM provides an acceptable security level for a wide range of practically important parameters.