Revisiting MAC Forgeries, Weak Keys and Provable Security of Galois/Counter Mode of Operation

  • Bo Zhu
  • Yin Tan
  • Guang Gong
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8257)


Galois/Counter Mode (GCM) is a block cipher mode of operation widely adopted in many practical applications and standards, such as IEEE 802.1AE and IPsec. We demonstrate that to construct successful forgeries of GCM-like polynomial-based MAC schemes, hash collisions are not necessarily required and any polynomials could be used in the attacks, which removes the restrictions of attacks previously proposed by Procter and Cid. Based on these new discoveries on forgery attacks, we show that all subsets with no less than two authentication keys are weak key classes, if the final block cipher masking is computed additively. In addition, by utilizing a special structure of GCM, we turn these forgery attacks into birthday attacks, which will significantly increase their success probabilities. Furthermore, we provide a method to fix GCM in order to avoid the security proof flaw discovered by Iwata, Ohashi and Minematsu. By applying the method, the security bounds of GCM can be improved by a factor of around 220. Lastly, we show that these forgery attacks will still succeed if GCM adopts MAC-then-Enc paradigm to protect its MAC scheme as one of the options mentioned in previous papers.


Galois/Counter Mode GCM MAC forgery weak key birthday attack provable security MAC-then-Enc 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aoki, K., Yasuda, K.: The security and performance of “GCM” when short multiplications are used instead. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 225–245. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  2. 2.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    CAESAR. Competition for Authenticated Encryption: Security, Applicability, and Robustness,
  4. 4.
    Dworkin, M.J.: SP 800-38D. Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. Technical report, Gaithersburg, MD, United States (2007)Google Scholar
  5. 5.
    Ferguson, N.: Authentication weaknesses in GCM. Comments Submitted to NIST Modes of Operation Process (2005)Google Scholar
  6. 6.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    IEEE 802.1AE. Media access control (MAC) security (2006),
  8. 8.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. Cryptology ePrint Archive, Report 2012/438 (2012),
  10. 10.
    Joux, A.: Authentication failures in NIST version of GCM. NIST Comment (2006)Google Scholar
  11. 11.
    Katz, J., Lindell, Y.: Introduction to modern cryptography. Chapman & Hall (2008)Google Scholar
  12. 12.
    McGrew, D., Viega, J.: The Galois/Counter Mode of operation (GCM). Submission to NIST Modes of Operation Process (2004)Google Scholar
  13. 13.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    McGrew, D.A.: Counter mode security: Analysis and recommendations (2002),
  15. 15.
    NSA. Suite B Cryptography (2005),
  16. 16.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Fast Software Encryption.LNCS. Springer (to appear, 2013)Google Scholar
  17. 17.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. Cryptology ePrint Archive, Report 2013/144 (2013),
  18. 18.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, CCS 2002, pp. 98–107. ACM, New York (2002)Google Scholar
  19. 19.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  20. 20.
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996)Google Scholar
  21. 21.
    Viega, J., McGrew, D.A.: The use of Galois/Counter Mode (GCM) in IPsec encapsulating security payload, ESP (2005),

Copyright information

© Springer International Publishing Switzerland 2013

Authors and Affiliations

  • Bo Zhu
    • 1
  • Yin Tan
    • 1
  • Guang Gong
    • 1
  1. 1.Department of Electrical and Computer EngineeringUniversity of WaterlooWaterlooCanada

Personalised recommendations