Optimal Forgeries Against Polynomial-Based MACs and GCM

  • Atul Luykx
  • Bart Preneel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10820)


Polynomial-based authentication algorithms, such as GCM and Poly1305, have seen widespread adoption in practice. Due to their importance, a significant amount of attention has been given to understanding and improving both proofs and attacks against such schemes. At EUROCRYPT 2005, Bernstein published the best known analysis of the schemes when instantiated with PRPs, thereby establishing the most lenient limits on the amount of data the schemes can process per key. A long line of work, initiated by Handschuh and Preneel at CRYPTO 2008, finds the best known attacks, advancing our understanding of the fragility of the schemes. Yet surprisingly, no known attacks perform as well as the predicted worst-case attacks allowed by Bernstein’s analysis, nor has there been any advancement in proofs improving Bernstein’s bounds, and the gap between attacks and analysis is significant. We settle the issue by finding a novel attack against polynomial-based authentication algorithms using PRPs, and combine it with new analysis, to show that Bernstein’s bound, and our attacks, are optimal.


Forgery Wegman-Carter Authenticator MAC GCM Universal hash Polynomial 



The authors would like to thank Guy Barwell, Dan Bernstein, Bart Mennink, Scott Fluhrer, and the anonymous reviewers for their comments, as well as Mridul Nandi for pointing out an error in a previous version of the manuscript.


  1. [3GP17]
    Specification of the 3GPP: Confidentiality and Integrity Algorithms UEA2 & UIA2; Document 2: SNOW 3G specification (2017).
  2. [ABBT15]
    Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015). Scholar
  3. [AY12]
    Aoki, K., Yasuda, K.: The security and performance of “GCM” when short multiplications are used instead. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 225–245. Springer, Heidelberg (2013). Scholar
  4. [BC09]
    Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009). Scholar
  5. [Ber70]
    Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24(111), 713–735 (1970)MathSciNetCrossRefzbMATHGoogle Scholar
  6. [Ber05a]
    Bernstein, D.J.: Stronger security bounds for permutations (2005). Accessed 9 April 2015
  7. [Ber05b]
    Bernstein, D.J.: Stronger security bounds for Wegman-Carter-Shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005). Scholar
  8. [Ber05c]
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005). Scholar
  9. [Ber09]
    Bernstein, D.J.: Cryptography in NaCl (2009). Accessed 14 Sept 2017
  10. [BGM04]
    Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. IACR Cryptology ePrint Archive 2004, p. 309 (2004)Google Scholar
  11. [BHK+99]
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener [Wie99], pp. 216–233Google Scholar
  12. [BJKS93]
    Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On families of hash functions via geometric codes and concatenation. In: Stinson [Sti94], pp. 331–342Google Scholar
  13. [BL16]
    Bhargavan, K., Leurent, G.: On the practical (in-)security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 24–28 October 2016, Vienna, Austria, pp. 456–467. ACM (2016)Google Scholar
  14. [BPR05]
    Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005). Scholar
  15. [Bra82]
    Brassard, G.: On computationally secure authentication tags requiring short secret shared keys. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 79–86. Springer, Boston (1983). Scholar
  16. [CS16]
    Cogliati, B., Seurin, Y.: EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 121–149. Springer, Heidelberg (2016). Scholar
  17. [CZ81]
    Cantor, D.G., Zassenhaus, H.: A new algorithm for factoring polynomials over finite fields. Math. Comput. 36(154), 587–592 (1981)MathSciNetCrossRefzbMATHGoogle Scholar
  18. [dB93]
    den Boer, B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur. 2, 65–72 (1993)Google Scholar
  19. [EPR99]
    Etzel, M., Patel, S., Ramzan, Z.: Square hash: fast message authentication via optimized universal hash functions. In: Wiener [Wie99], pp. 234–251Google Scholar
  20. [Fer05]
    Ferguson, N.: Authentication weaknesses in GCM. Comments submitted to NIST Modes of Operation Process (2005)Google Scholar
  21. [GGM18]
    Gilboa, S., Gueron, S., Morris, B.: How many queries are needed to distinguish a truncated random permutation from a random function? J. Cryptol. 31(1), 162–171 (2018)MathSciNetCrossRefGoogle Scholar
  22. [GMS74]
    Gilbert, E.N., MacWilliams, F.J., Sloane, N.J.A.: Codes which detect deception. Bell Syst. Tech. J. 53(3), 405–424 (1974)MathSciNetCrossRefzbMATHGoogle Scholar
  23. [GPR14]
    Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014). Scholar
  24. [GPR16]
    Gazi, P., Pietrzak, K., Rybár, M.: The exact security of PMAC. IACR Trans. Symmetric Cryptol. 2016(2), 145–161 (2016)Google Scholar
  25. [GPT15]
    Gaži, P., Pietrzak, K., Tessaro, S.: The exact PRF security of truncation: tight bounds for keyed sponges and truncated CBC. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 368–387. Springer, Heidelberg (2015). Scholar
  26. [HK97]
    Halevi, S., Krawczyk, H.: MMH: software message authentication in the Gbit/second rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997). Scholar
  27. [HP08]
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008). Scholar
  28. [HWKS98]
    Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998). Scholar
  29. [IOM12]
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012). Scholar
  30. [IS09]
    Igoe, K., Solinas, J.: AES Galois Counter Mode for the secure shell transport layer protocol. RFC 5647, August 2009Google Scholar
  31. [Joh97]
    Johansson, T.: Bucket hashing with a small key size. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 149–162. Springer, Heidelberg (1997). Scholar
  32. [Jou]
    Joux, A.: Comments on the draft GCM specification - authentication failures in NIST version of GCM.
  33. [Kro06]
    Krovetz, T.: Message authentication on 64-bit architectures. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 327–341. Springer, Heidelberg (2007). Scholar
  34. [KVW04]
    Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004). Scholar
  35. [KYS05]
    Kaps, J.-P., Yüksel, K., Sunar, B.: Energy scalable universal hashing. IEEE Trans. Comput. 54(12), 1484–1495 (2005)CrossRefGoogle Scholar
  36. [LMP17]
    Luykx, A., Mennink, B., Paterson, K.G.: Analyzing multi-key security degradation. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 575–605. Springer, Cham (2017). Scholar
  37. [LPSY16]
    Luykx, A., Preneel, B., Szepieniec, A., Yasuda, K.: On the influence of message length in PMAC’s security bounds. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 596–621. Springer, Heidelberg (2016). Scholar
  38. [MF05]
    McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against message authentication codes. Cryptology ePrint Archive, Report 2005/161 (2005).
  39. [MN17]
    Mennink, B., Neves, S.: Encrypted Davies-Meyer and its dual: towards optimal security using mirror theory. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 556–583. Springer, Cham (2017). Scholar
  40. [MV04a]
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004). Scholar
  41. [MV04b]
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode of operation (Full Version). IACR Cryptology ePrint Archive 2004, p. 193 (2004)Google Scholar
  42. [MW16]
    Mattsson, J., Westerlund, M.: Authentication key recovery on Galois/Counter Mode (GCM). In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 127–143. Springer, Cham (2016). Scholar
  43. [Nat80]
    National Institute of Standards and Technology. DES Modes of Operation. FIPS 81, December 1980Google Scholar
  44. [NOMI15]
    Niwa, Y., Ohashi, K., Minematsu, K., Iwata, T.: GCM security bounds reconsidered. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 385–407. Springer, Heidelberg (2015). Scholar
  45. [PC13]
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014). Scholar
  46. [PC15]
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. J. Cryptol. 28(4), 769–795 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
  47. [Pie06]
    Pietrzak, K.: A tight bound for EMAC. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 168–179. Springer, Heidelberg (2006). Scholar
  48. [PvO99]
    Preneel, B., van Oorschot, P.C.: On the security of iterated message authentication codes. IEEE Trans. Inf. Theor. 45(1), 188–199 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  49. [Saa11]
    Saarinen, M.-J.O.: SGCM: The Sophie Germain Counter Mode. Cryptology ePrint Archive, Report 2011/326 (2011).
  50. [Saa12]
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and Hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012). Scholar
  51. [Sho96]
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996). Scholar
  52. [Sim91]
    Simmons, G.J.: A survey of information authentication. In: Simmons, G.J. (ed.) Contemporary Cryptology: The Science of Information Integrity, pp. 381–419. IEEE Press, New York (1991)Google Scholar
  53. [SMC08]
    Salowey, J.A., McGrew, D.A., Choudhury, A.: AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC 5288, August 2008Google Scholar
  54. [Sti91]
    Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992). Scholar
  55. [Sti94]
    Stinson, D.R. (ed.): CRYPTO 1993. LNCS, vol. 773. Springer, Heidelberg (1994). Scholar
  56. [Tay93]
    Taylor, R.: An integrity check value algorithm for stream ciphers. In: Stinson [Sti94], pp. 40–48Google Scholar
  57. [VM06]
    Viega, J., McGrew, D.A.: The use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH. RFC 4543, May 2006Google Scholar
  58. [WC81]
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)MathSciNetCrossRefzbMATHGoogle Scholar
  59. [Wie99]
    Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999). Scholar
  60. [ZTG13]
    Zhu, B., Tan, Y., Gong, G.: Revisiting MAC forgeries, weak keys and provable security of galois/counter mode of operation. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 20–38. Springer, Cham (2013). Scholar
  61. [ZW17]
    Zheng, K., Wang, P.: A uniform class of weak keys for universal hash functions. Cryptology ePrint Archive, Report 2017/436 (2017).

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Visa ResearchPalo AltoUSA
  2. 2.imec-COSICKU LeuvenLeuvenBelgium

Personalised recommendations