Optimal Forgeries Against Polynomial-Based MACs and GCM

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10820)


Polynomial-based authentication algorithms, such as GCM and Poly1305, have seen widespread adoption in practice. Due to their importance, a significant amount of attention has been given to understanding and improving both proofs and attacks against such schemes. At EUROCRYPT 2005, Bernstein published the best known analysis of the schemes when instantiated with PRPs, thereby establishing the most lenient limits on the amount of data the schemes can process per key. A long line of work, initiated by Handschuh and Preneel at CRYPTO 2008, finds the best known attacks, advancing our understanding of the fragility of the schemes. Yet surprisingly, no known attacks perform as well as the predicted worst-case attacks allowed by Bernstein’s analysis, nor has there been any advancement in proofs improving Bernstein’s bounds, and the gap between attacks and analysis is significant. We settle the issue by finding a novel attack against polynomial-based authentication algorithms using PRPs, and combine it with new analysis, to show that Bernstein’s bound, and our attacks, are optimal.


Forgery Wegman-Carter Authenticator MAC GCM Universal hash Polynomial 



The authors would like to thank Guy Barwell, Dan Bernstein, Bart Mennink, Scott Fluhrer, and the anonymous reviewers for their comments, as well as Mridul Nandi for pointing out an error in a previous version of the manuscript.


  1. [3GP17]
    Specification of the 3GPP: Confidentiality and Integrity Algorithms UEA2 & UIA2; Document 2: SNOW 3G specification (2017). https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=2396
  2. [ABBT15]
    Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted polynomials and forgery attacks on GCM. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 762–786. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_29Google Scholar
  3. [AY12]
    Aoki, K., Yasuda, K.: The security and performance of “GCM” when short multiplications are used instead. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 225–245. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38519-3_15CrossRefGoogle Scholar
  4. [BC09]
    Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03317-9_21CrossRefGoogle Scholar
  5. [Ber70]
    Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24(111), 713–735 (1970)MathSciNetCrossRefMATHGoogle Scholar
  6. [Ber05a]
    Bernstein, D.J.: Stronger security bounds for permutations (2005). http://cr.yp.to/papers.html#permutations. Accessed 9 April 2015
  7. [Ber05b]
    Bernstein, D.J.: Stronger security bounds for Wegman-Carter-Shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005).  https://doi.org/10.1007/11426639_10CrossRefGoogle Scholar
  8. [Ber05c]
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005).  https://doi.org/10.1007/11502760_3CrossRefGoogle Scholar
  9. [Ber09]
    Bernstein, D.J.: Cryptography in NaCl (2009). http://cr.yp.to/papers.html#naclcrypto. Accessed 14 Sept 2017
  10. [BGM04]
    Bellare, M., Goldreich, O., Mityagin, A.: The power of verification queries in message authentication and authenticated encryption. IACR Cryptology ePrint Archive 2004, p. 309 (2004)Google Scholar
  11. [BHK+99]
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener [Wie99], pp. 216–233Google Scholar
  12. [BJKS93]
    Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On families of hash functions via geometric codes and concatenation. In: Stinson [Sti94], pp. 331–342Google Scholar
  13. [BL16]
    Bhargavan, K., Leurent, G.: On the practical (in-)security of 64-bit block ciphers: collision attacks on HTTP over TLS and OpenVPN. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 24–28 October 2016, Vienna, Austria, pp. 456–467. ACM (2016)Google Scholar
  14. [BPR05]
    Bellare, M., Pietrzak, K., Rogaway, P.: Improved security analyses for CBC MACs. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 527–545. Springer, Heidelberg (2005).  https://doi.org/10.1007/11535218_32CrossRefGoogle Scholar
  15. [Bra82]
    Brassard, G.: On computationally secure authentication tags requiring short secret shared keys. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 79–86. Springer, Boston (1983).  https://doi.org/10.1007/978-1-4757-0602-4_7CrossRefGoogle Scholar
  16. [CS16]
    Cogliati, B., Seurin, Y.: EWCDM: an efficient, beyond-birthday secure, nonce-misuse resistant MAC. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 121–149. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_5CrossRefGoogle Scholar
  17. [CZ81]
    Cantor, D.G., Zassenhaus, H.: A new algorithm for factoring polynomials over finite fields. Math. Comput. 36(154), 587–592 (1981)MathSciNetCrossRefMATHGoogle Scholar
  18. [dB93]
    den Boer, B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur. 2, 65–72 (1993)Google Scholar
  19. [EPR99]
    Etzel, M., Patel, S., Ramzan, Z.: Square hash: fast message authentication via optimized universal hash functions. In: Wiener [Wie99], pp. 234–251Google Scholar
  20. [Fer05]
    Ferguson, N.: Authentication weaknesses in GCM. Comments submitted to NIST Modes of Operation Process (2005)Google Scholar
  21. [GGM18]
    Gilboa, S., Gueron, S., Morris, B.: How many queries are needed to distinguish a truncated random permutation from a random function? J. Cryptol. 31(1), 162–171 (2018)MathSciNetCrossRefGoogle Scholar
  22. [GMS74]
    Gilbert, E.N., MacWilliams, F.J., Sloane, N.J.A.: Codes which detect deception. Bell Syst. Tech. J. 53(3), 405–424 (1974)MathSciNetCrossRefMATHGoogle Scholar
  23. [GPR14]
    Gaži, P., Pietrzak, K., Rybár, M.: The exact PRF-security of NMAC and HMAC. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 113–130. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44371-2_7CrossRefGoogle Scholar
  24. [GPR16]
    Gazi, P., Pietrzak, K., Rybár, M.: The exact security of PMAC. IACR Trans. Symmetric Cryptol. 2016(2), 145–161 (2016)Google Scholar
  25. [GPT15]
    Gaži, P., Pietrzak, K., Tessaro, S.: The exact PRF security of truncation: tight bounds for keyed sponges and truncated CBC. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 368–387. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-47989-6_18CrossRefGoogle Scholar
  26. [HK97]
    Halevi, S., Krawczyk, H.: MMH: software message authentication in the Gbit/second rates. In: Biham, E. (ed.) FSE 1997. LNCS, vol. 1267, pp. 172–189. Springer, Heidelberg (1997).  https://doi.org/10.1007/BFb0052345CrossRefGoogle Scholar
  27. [HP08]
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_9CrossRefGoogle Scholar
  28. [HWKS98]
    Hall, C., Wagner, D., Kelsey, J., Schneier, B.: Building PRFs from PRPs. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 370–389. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055742CrossRefGoogle Scholar
  29. [IOM12]
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_3CrossRefGoogle Scholar
  30. [IS09]
    Igoe, K., Solinas, J.: AES Galois Counter Mode for the secure shell transport layer protocol. RFC 5647, August 2009Google Scholar
  31. [Joh97]
    Johansson, T.: Bucket hashing with a small key size. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 149–162. Springer, Heidelberg (1997).  https://doi.org/10.1007/3-540-69053-0_12Google Scholar
  32. [Jou]
    Joux, A.: Comments on the draft GCM specification - authentication failures in NIST version of GCM. http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Series-Drafts/GCM/Joux_comments.pdf
  33. [Kro06]
    Krovetz, T.: Message authentication on 64-bit architectures. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 327–341. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74462-7_23CrossRefGoogle Scholar
  34. [KVW04]
    Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-25937-4_26CrossRefGoogle Scholar
  35. [KYS05]
    Kaps, J.-P., Yüksel, K., Sunar, B.: Energy scalable universal hashing. IEEE Trans. Comput. 54(12), 1484–1495 (2005)CrossRefGoogle Scholar
  36. [LMP17]
    Luykx, A., Mennink, B., Paterson, K.G.: Analyzing multi-key security degradation. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 575–605. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-70697-9_20CrossRefGoogle Scholar
  37. [LPSY16]
    Luykx, A., Preneel, B., Szepieniec, A., Yasuda, K.: On the influence of message length in PMAC’s security bounds. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 596–621. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49890-3_23CrossRefGoogle Scholar
  38. [MF05]
    McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against message authentication codes. Cryptology ePrint Archive, Report 2005/161 (2005). http://eprint.iacr.org/2005/161
  39. [MN17]
    Mennink, B., Neves, S.: Encrypted Davies-Meyer and its dual: towards optimal security using mirror theory. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10403, pp. 556–583. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63697-9_19CrossRefGoogle Scholar
  40. [MV04a]
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-30556-9_27CrossRefGoogle Scholar
  41. [MV04b]
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode of operation (Full Version). IACR Cryptology ePrint Archive 2004, p. 193 (2004)Google Scholar
  42. [MW16]
    Mattsson, J., Westerlund, M.: Authentication key recovery on Galois/Counter Mode (GCM). In: Pointcheval, D., Nitaj, A., Rachidi, T. (eds.) AFRICACRYPT 2016. LNCS, vol. 9646, pp. 127–143. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-31517-1_7CrossRefGoogle Scholar
  43. [Nat80]
    National Institute of Standards and Technology. DES Modes of Operation. FIPS 81, December 1980Google Scholar
  44. [NOMI15]
    Niwa, Y., Ohashi, K., Minematsu, K., Iwata, T.: GCM security bounds reconsidered. In: Leander, G. (ed.) FSE 2015. LNCS, vol. 9054, pp. 385–407. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48116-5_19CrossRefGoogle Scholar
  45. [PC13]
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-43933-3_15Google Scholar
  46. [PC15]
    Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. J. Cryptol. 28(4), 769–795 (2015)MathSciNetCrossRefMATHGoogle Scholar
  47. [Pie06]
    Pietrzak, K.: A tight bound for EMAC. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 168–179. Springer, Heidelberg (2006).  https://doi.org/10.1007/11787006_15CrossRefGoogle Scholar
  48. [PvO99]
    Preneel, B., van Oorschot, P.C.: On the security of iterated message authentication codes. IEEE Trans. Inf. Theor. 45(1), 188–199 (1999)MathSciNetCrossRefMATHGoogle Scholar
  49. [Saa11]
    Saarinen, M.-J.O.: SGCM: The Sophie Germain Counter Mode. Cryptology ePrint Archive, Report 2011/326 (2011). http://eprint.iacr.org/2011/326
  50. [Saa12]
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and Hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-34047-5_13CrossRefGoogle Scholar
  51. [Sho96]
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996).  https://doi.org/10.1007/3-540-68697-5_24Google Scholar
  52. [Sim91]
    Simmons, G.J.: A survey of information authentication. In: Simmons, G.J. (ed.) Contemporary Cryptology: The Science of Information Integrity, pp. 381–419. IEEE Press, New York (1991)Google Scholar
  53. [SMC08]
    Salowey, J.A., McGrew, D.A., Choudhury, A.: AES Galois Counter Mode (GCM) Cipher Suites for TLS. RFC 5288, August 2008Google Scholar
  54. [Sti91]
    Stinson, D.R.: Universal hashing and authentication codes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 74–85. Springer, Heidelberg (1992).  https://doi.org/10.1007/3-540-46766-1_5Google Scholar
  55. [Sti94]
    Stinson, D.R. (ed.): CRYPTO 1993. LNCS, vol. 773. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48329-2MATHGoogle Scholar
  56. [Tay93]
    Taylor, R.: An integrity check value algorithm for stream ciphers. In: Stinson [Sti94], pp. 40–48Google Scholar
  57. [VM06]
    Viega, J., McGrew, D.A.: The use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH. RFC 4543, May 2006Google Scholar
  58. [WC81]
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)MathSciNetCrossRefMATHGoogle Scholar
  59. [Wie99]
    Wiener, M. (ed.): CRYPTO 1999. LNCS, vol. 1666. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1MATHGoogle Scholar
  60. [ZTG13]
    Zhu, B., Tan, Y., Gong, G.: Revisiting MAC forgeries, weak keys and provable security of galois/counter mode of operation. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds.) CANS 2013. LNCS, vol. 8257, pp. 20–38. Springer, Cham (2013).  https://doi.org/10.1007/978-3-319-02937-5_2CrossRefGoogle Scholar
  61. [ZW17]
    Zheng, K., Wang, P.: A uniform class of weak keys for universal hash functions. Cryptology ePrint Archive, Report 2017/436 (2017). http://eprint.iacr.org/2017/436

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Visa ResearchPalo AltoUSA
  2. 2.imec-COSICKU LeuvenLeuvenBelgium

Personalised recommendations