Advertisement

Journal of Cryptology

, Volume 28, Issue 4, pp 769–795 | Cite as

On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes

  • Gordon Procter
  • Carlos Cid
Article

Abstract

Universal hash functions are commonly used primitives for fast and secure message authentication in the form of message authentication codes or authenticated encryption with associated data schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega’s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen’s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. We also greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class. Finally, we demonstrate that these algebraic properties and the corresponding attacks are highly relevant to GCM/\(2^+\), a variant of GCM designed to increase the efficiency in software.

Keywords

Universal hashing MAC Galois/Counter Mode Cycling attacks  Weak keys 

Notes

Acknowledgments

We would like to thank Jean Paul Degabriele for the extensive and insightful conversations during the early stages of this work and also Bertfried Fauser for helpful comments regarding the extension to include all two-element subsets as weak key classes. We also thank the anonymous reviewers from FSE 2013 and the Journal of Cryptology. The work described in this paper has been supported in part by the European Commission through the ICT programme under contract ICT-2007-216676 ECRYPT II.

References

  1. 1.
    K. Aoki, K. Yasuda, The security and performance of “GCM” when short multiplications are used instead, in M. Kutyłowski, M. Yung (eds), Information Security and Cryptology. Lecture Notes in Computer Science, vol. 7763 (Springer, Berlin Heidelberg, 2013), pp. 225–245.Google Scholar
  2. 2.
    E. R. Berlekamp, Factoring polynomials over large finite fields. Newblock, Math. Comp. 24:713–735 (1970)Google Scholar
  3. 3.
    D. J. Bernstein, The Poly1305-AES message-authentication code. Slides from FSE, 2005. http://cr.yp.to/talks/2005.02.21-1/slides.pdf
  4. 4.
    D.J. Bernstein, Stronger security bounds for Wegman–Carter–Shoup authenticators, in R. Cramer (ed), Advances in Cryptology EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin Heidelberg, 2005) pp. 164–180Google Scholar
  5. 5.
    D.J. Bernstein, The Poly1305-AES message-authentication code, in H. Gilbert, Helena Handschuh (eds), Fast Software Encryption. Lecture Notes in Computer Science, vol. 3557 (Springer, Berlin Heidelberg, 2005), pp. 32–49Google Scholar
  6. 6.
    J. Bierbrauer, T. Johansson, G. Kabatianskii, B. Smeets, On families of hash functions via geometric codes and concatenation, in D.R. Stinson (ed), Advances in Cryptology CRYPTO’ 93. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin Heidelberg, 1994) pp. 331–342Google Scholar
  7. 7.
    J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: fast and secure message authentication, in M. Wiener (ed), Advances in Cryptology CRYPTO’ 99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin Heidelberg, 1999), pp. 216–233. Full version, available at http://www.cs.ucdavis.edu/rogaway/papers/umac
  8. 8.
    J. Black, M. Cochran, MAC reforgeability. Cryptology ePrint Archive, Report 2006/095, 2006Google Scholar
  9. 9.
    J. Black, M. Cochran, MAC reforgeability, in O. Dunkelman (ed), Fast Software Encryption. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin Heidelberg, 2009), pp. 345–362Google Scholar
  10. 10.
    G. Brassard, On computationally secure authentication tags requiring short secret shared keys, in D. Chaum, R.L. Rivest, A.T. Sherman (eds), Advances in Cryptology, (Springer, US, 1983), pp. 79–86Google Scholar
  11. 11.
    L. Carlitz, The arithmetic of polynomials in a Galois field. Proc. Natl. Acad. Sci. 17(2), 120–122 (1931)Google Scholar
  12. 12.
    J. Lawrence Carter, M.N. Wegman, Universal classes of hash functions (extended abstract), in Proceedings of the Ninth Annual ACM Symposium on Theory of Computing, STOC ’77, ACM, (New York, NY, USA, 1977), pp. 106–112Google Scholar
  13. 13.
    J. Lawrence, Carter, M.N. Wegman, Universal classes of hash functions, J. Comput. Syst. Sci. 18(2), 143–154 (1979)Google Scholar
  14. 14.
    B. den Boer, A simple and key-economical unconditional authentication scheme, J. Comput. Secur. 2:65–72 (1993)Google Scholar
  15. 15.
    M. Dworkin Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800–38D, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf, Nov 2007
  16. 16.
    M. Etzel, S. Patel, Z. Ramzan, Square hash: fast message authentication via optimized universal hash functions, in M. Wiener (ed), Advances in Cryptology CRYPTO’ 99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin Heidelberg, 1999), pp. 234–251Google Scholar
  17. 17.
    N. Ferguson. Authentication weaknesses in GCM. Comments submitted to NIST Modes of Operation Process, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf, 2005
  18. 18.
    E. N. Gilbert, F. J. MacWilliams, N. J. A. Sloane, Codes which detect deception. Technical Report 3, Bell Sys. Tech. J., Mar 1974Google Scholar
  19. 19.
    S. Halevi, H. Krawczyk, MMH: Software message authentication in the Gbit/second rates, in E. Biham (ed), Fast Software Encryption. Lecture Notes in Computer Science, vol. 1267 (Springer, Berlin Heidelberg, 1997), pp. 172–189Google Scholar
  20. 20.
    H. Handschuh, B. Preneel, Key-recovery attacks on Universal hash function based MAC algorithms, in D. Wagner (ed), Advances in Cryptology CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin Heidelberg, 2008), pp. 144–161Google Scholar
  21. 21.
    K. Igoe, J. Solinas. AES Galois counter mode for the secure shell transport layer protocol. IETF Request for Comments 5647, http://tools.ietf.org/html/rfc5647, 2009
  22. 22.
    T. Iwata, K. Ohashi, K. Minematsu, Breaking and repairing GCM security proofs, in R. Safavi-Naini, R. Canetti (eds), Advances in Cryptology CRYPTO 2012. Lecture Notes in Computer Science, vol. 7417 (Springer, Berlin Heidelberg, 2012), pp. 31–49Google Scholar
  23. 23.
    A. Joux. Authentication failures in NIST version of GCM. Comments submitted to NIST Modes of Operation Process, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Series-Drafts/GCM/Joux_comments.pdf, 2006
  24. 24.
    T. Kohno, J. Viega, D. Whiting, CWC: a high-performance conventional authenticated encryption mode, in B. Roy, W. Meier (eds), Fast Software Encryption. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin Heidelberg, 2004), pp. 408–426Google Scholar
  25. 25.
    H. Krawczyk, LFSR-based hashing and authentication, in Y.G. Desmedt (ed), Advances in Cryptology CRYPTO ’94. Lecture Notes in Computer Science, vol. 839 (Springer, Berlin Heidelberg, 1994), pp. 129–139Google Scholar
  26. 26.
    L. Law, J. Solinas. Suite B Cryptographic Suites for IPsec. IETF Request for Comments 6379, http://tools.ietf.org/html/rfc6379, 2011
  27. 27.
    R. Lidl, H. Niederreiter, Finite fields. Encylopedia of Mathematics and its Applications. vol. 20 Cambridge University Press, 2nd edition, 1997Google Scholar
  28. 28.
    D.J.C. MacKay, S. Mahajan, Numbers that are sums of squares in several ways. http://www.cs.toronto.edu/~mackay/sumsquares.pdf, 2001
  29. 29.
    D.A. McGrew, S.R. Fluhrer, Multiple forgery attacks against message authentication codes. Comments submitted to NIST on the Choice Between CWC or GCM, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/multi-forge-01.pdf, 2005
  30. 30.
    D.A. McGrew, J. Viega, The Galois/counter mode of operation (GCM). Submission to NIST Modes of Operation Process, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf, May 2005
  31. 31.
    D.A. McGrew, J. Viega, The security and performance of the Galois/counter mode (GCM) of operation, in A. Canteaut, K. Viswanathan (eds), Progress in Cryptology INDOCRYPT 2004. Lecture Notes in Computer Science, vol. 3348 (Springer, Berlin Heidelberg, 2005), pp. 343–355Google Scholar
  32. 32.
    D. Panario, What do random polynomials over finite fields look like? in G.L. Mullen, A. Poli, H. Stichtenoth (eds), Finite Fields and Applications. Lecture Notes in Computer Science, vol. 2948 (Springer, Berlin Heidelberg, 2004), pp. 89–108Google Scholar
  33. 33.
    M. O. Rabin, Fingerprinting by random polynomials. Center for Research in Computing Technology, Harvard University, Technical, Report TR-15-81, 1981Google Scholar
  34. 34.
    P. Rogaway, Authenticated-encryption with associated-data, in V. Atluri (ed), ACM Conference on Computer and Communications Security. (ACM, 2002), pp. 98–107Google Scholar
  35. 35.
    M.-J. O. Saarinen, SGCM: The Sophie Germain Counter Mode. Cryptology ePrint Archive, Report 2011/326, 2011Google Scholar
  36. 36.
    M.-J. O. Saarinen, Cycling attacks on GCM, GHASH and other polynomial MACs and hashes, in A. Canteaut (ed), Fast Software Encryption. Lecture Notes in Computer Science, vol. 7549 (Springer, Berlin Heidelberg, 2012), pp. 216–225Google Scholar
  37. 37.
    M. Salter, R. Housley, Suite B profile for transport layer security (TLS). IETF Request for Comments 6460, http://tools.ietf.org/html/rfc6460, 2011
  38. 38.
    V. Shoup, On fast and provably secure message authentication based on Universal hashing, in N. Koblitz (ed), Advances in Cryptology CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin Heidelberg, 1996), pp. 313–328Google Scholar
  39. 39.
    G. J. Simmons (ed). Contemporary cryptology: the science of information integrity. IEEE Press, 1992Google Scholar
  40. 40.
    D. R. Stinson, On the connections between Universal hashing, combinatorial designs and error-correcting codes. Electronic Colloquium on Computational Complexity (ECCC), Report No ECCC TR95-052 (1995)Google Scholar
  41. 41.
    D.R. Stinson, Universal hashing and authentication codes. Des.Codes Cryptogr. 4(3), 369–380 (1994)Google Scholar
  42. 42.
    R. Taylor, Near optimal unconditionally secure authentication, in A. Santis (ed), Advances in Cryptology EUROCRYPT’94. Lecture Notes in Computer Science, vol. 950 (Springer, Berlin Heidelberg, 1995), pp. 244–253Google Scholar
  43. 43.
    J. von zur Gathen, J. Gerhard. Modern computer algebra. Cambridge University Press, Cambridge, 2nd edition, 2003Google Scholar
  44. 44.
    M.N. Wegman, J. Lawrence Carter, New classes and applications of hash functions, in 20th Annual Symposium on Foundations of Computer Science, pp. 175–182 1979Google Scholar
  45. 45.
    M.N. Wegman, J. Lawrence Carter, New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)Google Scholar
  46. 46.
    B. Zhu, Y. Tan, G. Gong, Revisiting MAC forgeries, weak keys and provable security of Galois/counter mode of operation, in M. Abdalla, C. Nita-Rotaru, R. Dahab (eds), Cryptology and Network Security. Lecture Notes in Computer Science, vol. 8257 (Springer International Publishing, 2013), pp. 20–38Google Scholar

Copyright information

© International Association for Cryptologic Research 2014

Authors and Affiliations

  1. 1.Information Security Group, Royal HollowayUniversity of London LondonUnited Kingdom

Personalised recommendations