Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

International Workshop on Fast Software Encryption

FSE 2012: Fast Software Encryption pp 216–225Cite as

  1. Home
  2. Fast Software Encryption
  3. Conference paper
Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes

Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes

  • Markku-Juhani Olavi Saarinen17 
  • Conference paper
  • 2010 Accesses

  • 42 Citations

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7549)

Abstract

The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide single-pass authenticated encryption. The GHASH authentication component of GCM belongs to a class of Wegman-Carter polynomial hashes that operate in the field GF(2128). We present message forgery attacks that are made possible by its extremely smooth-order multiplicative group which splits into 512 subgroups. GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial for GHASH. In present literature, only the trivial weak key H = 0 has been considered. We show that GHASH has much wider classes of weak keys in its 512 multiplicative subgroups, analyze some of their properties, and give experimental results on AES-GCM weak key search. Our attacks can be used not only to bypass message authentication with garbage but also to target specific plaintext bits if a polynomial MAC is used in conjunction with a stream cipher. These attacks can also be applied with varying efficiency to other polynomial hashes and MACs, depending on their field properties. Our findings show that especially the use of short polynomial-evaluation MACs should be avoided if the underlying field has a smooth multiplicative order.

Keywords

  • Cryptanalysis
  • Galois/Counter Mode
  • AES-GCM
  • Cycling Attacks
  • Weak Keys

Download conference paper PDF

References

  1. NIST: Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800-38D (2007)

    Google Scholar 

  2. NIST: The advanced encryption standard (AES). FIPS Publication 197 (2001)

    Google Scholar 

  3. Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)

    Google Scholar 

  4. Igoe, K., Solinas, J.: AES Galois counter mode for the secure shell transport layer protocol. IETF Request for Comments 5647 (2009)

    Google Scholar 

  5. Law, L., Solinas, J.: Suite B cryptographic suites for IPsec. IETF Request for Comments 4869 (2007)

    Google Scholar 

  6. Salter, M., Rescorla, E., Housley, R.: Suite B profile for transport layer security (TLS). IETF Request for Comments 5430 (2009)

    Google Scholar 

  7. Wegman, M.N., Carter, J.L.: New classes and applications of hash functions. In: 20th Annual Symposium on Foundations of Computer Science. IEEE Computer Society Press, New York (1979)

    Google Scholar 

  8. Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22, 265–279 (1981)

    CrossRef  MathSciNet  MATH  Google Scholar 

  9. den Boer, B.: A simple and key-economical unconditional authentication scheme. Journal of Computer Security 2, 65–71 (1993)

    Google Scholar 

  10. Taylor, R.: An Integrity Check Value Algorithm for Stream Ciphers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 40–48. Springer, Heidelberg (1994)

    CrossRef  Google Scholar 

  11. Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On Families of Hash Functions via Geometric Codes and Concatenation. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 331–342. Springer, Heidelberg (1994)

    CrossRef  Google Scholar 

  12. Bernstein, D.J.: Stronger Security Bounds for Wegman-Carter-Shoup Authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  13. Bernstein, D.J.: The Poly1305-AES Message-Authentication Code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  14. Sarkar, P.: A trade-off between collision probability and key size in universal hashing using polynomials. Designs, Codes and Cryptography 58(3), 271–278 (2011)

    CrossRef  MathSciNet  MATH  Google Scholar 

  15. Joux, A.: Authentication failures in NIST version of GCM. NIST Comment (2006)

    Google Scholar 

  16. Handschuh, H., Preneel, B.: Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008)

    CrossRef  Google Scholar 

  17. Pohlig, S., Hellman, M.: An improved algorithm for computing logarithms over GF(p) and its cryptographic significance. IEEE Transactions on Information Theory 24(1), 106–110 (1978)

    CrossRef  MathSciNet  MATH  Google Scholar 

  18. Ferguson, N.: Authentication weaknesses in GCM. NIST Comment (May 2005)

    Google Scholar 

  19. Bernstein, D.J.: Floating-point arithmetic and message authentication (1999), http://cr.yp.to/papers.html#hash127

  20. McGrew, D.A., Viega, J.: The Galois/counter mode of operation (GCM). Submission to NIST (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Revere Security, 4500 Westgrove Drive, Suite 335, Addison, TX, 75001, USA

    Markku-Juhani Olavi Saarinen

Authors
  1. Markku-Juhani Olavi Saarinen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. INRIA Paris-Rocquencourt, B.P. 105, 78153, Le Chesnay, France

    Anne Canteaut

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Saarinen, MJ.O. (2012). Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes. In: Canteaut, A. (eds) Fast Software Encryption. FSE 2012. Lecture Notes in Computer Science, vol 7549. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34047-5_13

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-34047-5_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34046-8

  • Online ISBN: 978-3-642-34047-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature