Resumen
In this paper the security of AEAD mode called the Multilinear Galois Mode (MGM) was analyzed regarding confidentiality property. This mode was originally proposed in CTCrypt 2017. Then it was adopted as a standard AEAD mode in the Russian Standardization system. The MGM plaintext encryption procedure is quite similar to encryption in the counter mode. The main element of the MGM authentication procedure is a multilinear function with secret coefficients produced in the same way as the secret masking blocks used for plaintext encryption. This construction allows keeping such advantages as parallelization, online and availability of precomputations. The report presented at the conference outlined the design principles of the MGM mode from the point of view of providing security. The analysis of the MGM mode was carried out in the paradigm of provable security, in other words, lower security bound was obtained for the IND-CPA notion as a function of the mode parameters and amount of data available to an adversary. This bound shows that the privacy of this mode is provably guaranteed (under security of the used block cipher) up to the birthday paradox bound.