On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes

Conference paper

DOI: 10.1007/978-3-662-43933-3_15

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)
Cite this paper as:
Procter G., Cid C. (2014) On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes. In: Moriai S. (eds) Fast Software Encryption. FSE 2013. Lecture Notes in Computer Science, vol 8424. Springer, Berlin, Heidelberg

Abstract

Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega’s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen’s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. Finally, we greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class.

Keywords

Universal hashing MAC Galois/Counter Mode Cycling attacks Weak keys 

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Information Security Group, Royal HollowayUniversity of LondonLondonUK

Personalised recommendations