GCM Security Bounds Reconsidered

  • Yuichi Niwa
  • Keisuke Ohashi
  • Kazuhiko Minematsu
  • Tetsu Iwata
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9054)


A constant of \(2^{22}\) appears in the security bounds of the Galois/Counter Mode of Operation, GCM. In this paper, we first develop an algorithm to generate nonces that have a high counter-collision probability. We show concrete examples of nonces with the counter-collision probability of about \(2^{20.75}/2^{128}\). This shows that the constant in the security bounds, \(2^{22}\), cannot be made smaller than \(2^{19.74}\) if the proof relies on “the sum bound.” We next show that it is possible to avoid using the sum bound, leading to improved security bounds of GCM. One of our improvements shows that the constant of \(2^{22}\) can be reduced to 32.


GCM Provable security Counter-collision The sum bound 



The authors received useful comments from participants of Dagstuhl Seminar 12031 (Symmetric Cryptography), ASK 2012 (Asian Workshop on Symmetric Key Cryptography), Early Symmetric Crypto (ESC) seminar 2013, and “Shin-Akarui-Angou-Benkyou-Kai.” In particular, the authors thank Antoine Joux for motivating this work at Dagstuhl Seminar 12031. The work by Tetsu Iwata was supported in part by JSPS KAKENHI, Grant-in-Aid for Scientific Research (B), Grant Number 26280045, and was carried out in part while visiting Nanyang Technological University, Singapore.


  1. 1.
    Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015) Google Scholar
  2. 2.
    Aoki, K., Yasuda, K.: The security and performance of “GCM” when short multiplications are used instead. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 225–245. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. J. Cryptology 21(4), 469–491 (2008)MathSciNetCrossRefMATHGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  5. 5.
    Bogdanov, A.: Challenges and advances in authenticated encryption. Annual Workshop of TCCM-CACR (2014)Google Scholar
  6. 6.
    CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness. http://competitions.cr.yp.to/caesar.html
  7. 7.
    Dworkin, M.: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. NIST Special Publication 800-38D (2007)Google Scholar
  8. 8.
    Ferguson, N.: Authentication Weaknesses in GCM. Public comments to NIST (2005). http://csrc.nist.gov/groups/ST/toolkit/BCM/comments.html
  9. 9.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  10. 10.
    IEEE Standard for Local and Metropolitan Area Networks Media Access Control (MAC) Security. IEEE Std 802.1AE-2006 (2006)Google Scholar
  11. 11.
    Information Technology – Security Techniques – Authenticated Encryption, ISO/IEC 19772:2009. International Standard ISO/IEC 19772 (2009)Google Scholar
  12. 12.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  13. 13.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and Repairing GCM Security Proofs. Cryptology ePrint Archive, Report 2012/438 (2012). http://eprint.iacr.org/
  14. 14.
    Joux, A.: Authentication Failures in NIST version of GCM. Public comments to NIST (2006). http://csrc.nist.gov/groups/ST/toolkit/BCM/comments.html
  15. 15.
  16. 16.
    Leurent, G.: Analysis of differential attacks in ARX constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 226–243. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  17. 17.
    Leurent, G.: Construction of differential characteristics in ARX designs application to Skein. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 241–258. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  18. 18.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  19. 19.
    McGrew, D.A., Viega, J.: The Security and Performance of the Galois/Counter Mode of Operation (Full Version). Cryptology ePrint Archive, Report 2004/193 (2004). http://eprint.iacr.org/
  20. 20.
    Meloni, N., Nègre, C., Hasan, M.A.: High performance GHASH and impacts of a class of unconventional bases. J. Cryptographic Eng. 1(3), 201–218 (2011)CrossRefGoogle Scholar
  21. 21.
    Mouha, N., Velichkov, V., De Cannière, C., Preneel, B.: The differential analysis of S-functions. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 36–56. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  22. 22.
    National Security Agency, Internet Protocol Security (IPsec) Minimum Essential Interoperability Requirements, IPMEIR Version 1.0.0 Core (2010). http://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
  23. 23.
    Niwa, Y., Ohashi, K., Minematsu, K., Iwata, T.: GCM Security Bounds Reconsidered. Cryptology ePrint Archive, Report 2015/214 (2015). http://eprint.iacr.org/
  24. 24.
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014) Google Scholar
  25. 25.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security, CCS 2002. pp. 98–107. ACM (2002)Google Scholar
  26. 26.
    Rogaway, P.: Evaluation of Some Blockcipher Modes of Operation. Investigation Reports on Cryptographic Techniques in FY 2010 (2011). http://www.cryptrec.go.jp/english/
  27. 27.
    Saarinen, M.-J.O.: SGCM: The Sophie Germain Counter Mode. Cryptology ePrint Archive, Report 2011/326 (2011). http://eprint.iacr.org/
  28. 28.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  29. 29.
    Salowey, J., Choudhury, A., McGrew, D.A.: AES Galois Counter Mode (GCM) Cipher Suites for TLS. IETF RFC 5288 (2008)Google Scholar
  30. 30.
    Yap, W., Yeo, S.L., Heng, S., Henricksen, M.: Security analysis of GCM for communication. Secur. Commun. Networks 7(5), 854–864 (2014)CrossRefGoogle Scholar
  31. 31.
    Zhu, B., Tan, Y., Gong, G.: Revisiting MAC forgeries, weak keys and provable security of Galois/Counter Mode of operation. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 20–38. Springer, Heidelberg (2013) CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Yuichi Niwa
    • 1
  • Keisuke Ohashi
    • 1
  • Kazuhiko Minematsu
    • 2
  • Tetsu Iwata
    • 1
  1. 1.Nagoya UniversityNagoyaJapan
  2. 2.NEC CorporationTokyoJapan

Personalised recommendations