Breaking and Repairing GCM Security Proofs

  • Tetsu IwataEmail author
  • Keisuke Ohashi
  • Kazuhiko Minematsu
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)


In this paper, we study the security proofs of GCM (Galois/Counter Mode of Operation). We first point out that a lemma, which is related to the upper bound on the probability of a counter collision, is invalid. Both the original privacy and authenticity proofs by the designers are based on the lemma. We further show that the observation can be translated into a distinguishing attack that invalidates the main part of the privacy proof. It turns out that the original security proofs of GCM contain a flaw, and hence the claimed security bounds are not justified. A very natural question is then whether the proofs can be repaired. We give an affirmative answer to the question by presenting new security bounds, both for privacy and authenticity. As a result, although the security bounds are larger than what were previously claimed, GCM maintains its provable security. We also show that, when the nonce length is restricted to 96 bits, GCM has better security bounds than a general case of variable length nonces.


GCM counter-example distinguishing attack proof of security 


  1. 1.
    Bouncy Castle, (accessed on May 26, 2012)
  2. 2.
    Java Platform, Standard Edition 7, (accessed on May 26, 2012)
  3. 3.
    Risa/Asir, (accessed on May 26, 2012)
  4. 4.
    PKCS #11 v2.20: Cryptographic Token Interface Standard. PKCS #11 v2.20 (2004), (accessed on May 31, 2012)
  5. 5.
    IEEE Standard for Local and Metropolitan Area Networks Media Access Control (MAC) Security. IEEE Std 802.1AE-2006 (2006)Google Scholar
  6. 6.
    IEEE Standard for Authenticated Encryption with Length Expansion for Storage Devices. IEEE Std 1619.1-2007 (2007)Google Scholar
  7. 7.
    Information Technology — Security Techniques — Authenticated Encryption, ISO/IEC 19772:2009. International Standard ISO/IEC 19772 (2009)Google Scholar
  8. 8.
    National Security Agency, Internet Protocol Security (IPsec) Minimum Essential Interoperability Requirements, IPMEIR Version 1.0.0 Core (2010),
  9. 9.
    Bellare, M., Kilian, J., Rogaway, P.: The Security of the Cipher Block Chaining Message Authentication Code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)Google Scholar
  10. 10.
    Bellare, M., Namprempre, C.: Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Bellare, M., Rogaway, P.: The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Bernstein, D.J.: Stronger Security Bounds for Permutations (2005), (accessed on May 31, 2012)
  13. 13.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC Security Bound from PRP-Advantage (2005), (accessed on May 31, 2012)
  14. 14.
    Dai, W.: Crypto++ Library, (accessed on May 26, 2012)
  15. 15.
    Dworkin, M.: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC. NIST Special Publication 800-38D (2007)Google Scholar
  16. 16.
    Ferguson, N.: Authentication Weaknesses in GCM. Public Comments to NIST (2005),
  17. 17.
    Gladman, B.: (accessed on May 26, 2012)
  18. 18.
    Handschuh, H., Preneel, B.: Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  19. 19.
    Housley, R.: Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS). IETF RFC 5084 (2007)Google Scholar
  20. 20.
    Igoe, K.M., Solinas, J.A.: AES Galois Counter Mode for the Secure Shell Transport Layer Protocol. IETF RFC 5647 (2009)Google Scholar
  21. 21.
    Joux, A.: Authentication Failures in NIST version of GCM. Public Comments to NIST (2006),
  22. 22.
    Leurent, G.: ARXtools: A Toolkit for ARX Analysis. In: The Third SHA-3 Candidate Conference (2012),
  23. 23.
    Leurent, G., Thomsen, S.S.: Practical Near-Collisions on the Compression Function of BMW. In: Joux, A. (ed.) FSE 2011. LNCS, vol. 6733, pp. 238–251. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  24. 24.
    Luby, M., Rackoff, C.: How to Construct Pseudorandom Permutations from Pseudorandom Functions. SIAM J. Comput. 17(2), 373–386 (1988)Google Scholar
  25. 25.
    McGrew, D.A.: An Interface and Algorithms for Authenticated Encryption. IETF RFC 5116 (2008)Google Scholar
  26. 26.
    McGrew, D.A., Viega, J.: The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  27. 27.
    McGrew, D.A., Viega, J.: The Security and Performance of the Galois/Counter Mode of Operation (Full Version). Cryptology ePrint Archive, Report 2004/193 (2004),
  28. 28.
    McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation (GCM). Submission to NIST (2005),
  29. 29.
    Mouha, N., Velichkov, V., De Cannière, C., Preneel, B.: The Differential Analysis of S-Functions. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 36–56. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  30. 30.
    Rogaway, P.: Authenticated-Encryption with Associated-Data. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security, pp. 98–107. ACM (2002)Google Scholar
  31. 31.
    Rogaway, P.: Evaluation of Some Blockcipher Modes of Operation. Investigation Reports on Cryptographic Techniques in FY 2010 (2011), (accessed on May 31, 2012)
  32. 32.
    Saarinen, M.J.O.: Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes. Pre-proceedings of FSE 2012 (2012), (accessed on March 17, 2012)
  33. 33.
    Salowey, J., Choudhury, A., McGrew, D.A.: AES Galois Counter Mode (GCM) Cipher Suites for TLS. IETF RFC 5288 (2008)Google Scholar
  34. 34.
    Viega, J., McGrew, D.A.: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP). IETF RFC 4106 (2005)Google Scholar

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  • Tetsu Iwata
    • 1
    Email author
  • Keisuke Ohashi
    • 1
  • Kazuhiko Minematsu
    • 2
  1. 1.Nagoya UniversityNagoyaJapan
  2. 2.NEC CorporationTokyoJapan

Personalised recommendations