AES-GCM-SIV is designed to preserve both privacy and integrity even if nonces are repeated. To accomplish this, encryption is a function of a nonce, the plaintext message, and optional additional associated data (AAD). In the event a nonce is misused (i.e. used more than once), nothing is revealed except in the case that same message is encrypted multiple times with the same nonce. When that happens, an attacker is able to observe repeat encryptions, since encryption is a deterministic function of the nonce and message. However, beyond that, no additional information is revealed to the attacker. For this reason, AES-GCM-SIV is an ideal choice in cases that unique nonces cannot be guaranteed, such as multiple servers or network devices encrypting messages under the same key without coordination.
Operation
Like Galois/Counter Mode, AES-GCM-SIV combines the well-known counter mode of encryption with the Galois mode of authentication. The key feature is the use of a synthetic initialization vector (SIV) which is computed with Galois field multiplication using a construction called POLYVAL (a little-endian variant of Galois/Counter Mode's GHASH). POLYVAL is run over the combination of nonce, plaintext, and additional data, so that the IV is different for each combination.
POLYVAL is defined over GF(2128) by the polynomial:
Note that GHASH is defined over the "reverse" polynomial:
This change provides efficiency benefits on little-endian architectures.[3]