On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8424)


Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega’s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen’s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. Finally, we greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class.


Universal hashing MAC Galois/Counter Mode Cycling attacks Weak keys 


  1. 1.
    Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24(111), 713–735 (1970)CrossRefMathSciNetGoogle Scholar
  2. 2.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 32–49. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  3. 3.
    Bernstein, D.J.: The Poly1305-AES message-authentication code. Slides from FSE (2005). http://cr.yp.to/talks/2005.02.21-1/slides.pdf
  4. 4.
    Bernstein, D.J.: Stronger security bounds for Wegman-Carter-Shoup authenticators. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 164–180. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  5. 5.
    Bierbrauer, J., Johansson, T., Kabatianskii, G., Smeets, B.: On families of hash functions via geometric codes and concatenation. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 331–342. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  6. 6.
    Black, J., Cochran, M.: MAC reforgeability. Cryptology ePrint Archive, report 2006/095 (2006)Google Scholar
  7. 7.
    Black, J., Cochran, M.: MAC reforgeability. In: Dunkelman, O. (ed.) FSE 2009. LNCS, vol. 5665, pp. 345–362. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  8. 8.
    Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway, P.: UMAC: fast and secure message authentication. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 216–233. Springer, Heidelberg (1999) CrossRefGoogle Scholar
  9. 9.
    Brassard, G.: On computationally secure authentication tags requiring short secret shared keys. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) CRYPTO, pp. 79–86. Plenum Press, New York (1982)Google Scholar
  10. 10.
    Carter, L., Wegman, M.N.: Universal classes of hash functions (extended abstract). In: Hopcroft, J.E., Friedman, E.P., Harrison, M.A. (eds.) STOC, pp. 106–112. ACM (1977)Google Scholar
  11. 11.
    Carter, L., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)CrossRefMATHMathSciNetGoogle Scholar
  12. 12.
    den Boer, B.: A simple and key-economical unconditional authentication scheme. J. Comput. Secur. 2, 65–72 (1993)Google Scholar
  13. 13.
    Dworkin, M.: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. NIST Special Publication 800–38D, NIST, Nov 2007Google Scholar
  14. 14.
    MacWilliams, F.J., Gilbert, E.N., Sloane, N.J.A.: Codes which detect deception. Technical report 3, Bell Sys. Tech. J., Mar 1974Google Scholar
  15. 15.
    Ferguson, N.: Authentication weaknesses in GCM. Comments submitted to NIST Modes of Operation Process (2005)Google Scholar
  16. 16.
    Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  17. 17.
    Igoe, K., Solinas, J.: AES Galois Counter Mode for the secure shell transport layer protocol. IETF Request for Comments 5647 (2009)Google Scholar
  18. 18.
    Iwata, T., Ohashi, K., Minematsu, K.: Breaking and repairing GCM security proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 31–49. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  19. 19.
    Joux, A.: Authentication failures in NIST version of GCM. Comments submitted to NIST Modes of Operation Process (2006)Google Scholar
  20. 20.
    Kohno, T., Viega, J., Whiting, D.: CWC: a high-performance conventional authenticated encryption mode. In: Roy, B., Meier, W. (eds.) FSE 2004. LNCS, vol. 3017, pp. 408–426. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  21. 21.
    Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994) Google Scholar
  22. 22.
    Law, L., Solinas, J.: Suite B cryptographic suites for IPsec. IETF Request for Comments 6379 (2011)Google Scholar
  23. 23.
    Lidl, R., Neiderreiter, H.: Finite Fields, vol. 20, 2nd edn. Encylopedia of Mathematics and its Applications. Cambridge University Press, Cambridge (1997)Google Scholar
  24. 24.
    McGrew, D.A., Viega, J.: The security and performance of the Galois/Counter Mode (GCM) of operation. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 343–355. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  25. 25.
    McGrew, D.A., Fluhrer, S.R.: Multiple forgery attacks against message authentication codes. Comments submitted to NIST on the Choice Between CWC or GCM (2005)Google Scholar
  26. 26.
    McGrew, D.A., Viega, J.: The Galois/Counter Mode of operation (GCM). Submission to NIST Modes of Operation Process, May 2005Google Scholar
  27. 27.
    Rabin, M.O.: Fingerprinting with random polynomials. Technical report (1981)Google Scholar
  28. 28.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security, pp. 98–107. ACM (2002)Google Scholar
  29. 29.
    Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  30. 30.
    Saarinen, M.-J.O.: SGCM: the Sophie Germain Counter Mode. Cryptology ePrint Archive, report 2012/326 (2012)Google Scholar
  31. 31.
    Salter, M., Housley, R.: Suite B profile for transport layer security (TLS). IETF Request for Comments 6460 (2011)Google Scholar
  32. 32.
    Shoup, V.: On fast and provably secure message authentication based on universal hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996) Google Scholar
  33. 33.
    Simmons, G.J.: Contemporary Cryptology: The Science of Information Integrity. Institute of Electrical, and Electronics Engineers. IEEE Press, Piscataway (1992)MATHGoogle Scholar
  34. 34.
    Stinson, D.R.: Universal hashing and authentication codes. Des. Codes Crypt. 4(3), 369–380 (1994)CrossRefMATHMathSciNetGoogle Scholar
  35. 35.
    Stinson, D.R.: On the connections between universal hashing, combinatorial designs and error-correcting codes. Electron. Colloquium Comput. Complexity (ECCC) 2(52), 1–24 (1995)Google Scholar
  36. 36.
    Taylor, R.: Near optimal unconditionally secure authentication. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 244–253. Springer, Heidelberg (1995) CrossRefGoogle Scholar
  37. 37.
    von zur Gathen, J., Gerhard, J.: Modern computer algebra, 2nd edn. Cambridge University Press, Cambridge (2003)MATHGoogle Scholar
  38. 38.
    Wegman, M.N., Carter, L.: New classes and applications of hash functions. In: FOCS, pp. 175–182. IEEE Computer Society (1979)Google Scholar
  39. 39.
    Wegman, M.N., Carter, L.: New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)CrossRefMATHMathSciNetGoogle Scholar
  40. 40.
    Aoki, K., Yasuda, K.: The security and performance of “GCM” when short multiplications are used instead. In: Kutyłowski, M., Yung, M. (eds.) Inscrypt 2012. LNCS, vol. 7763, pp. 225–245. Springer, Heidelberg (2013) CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Information Security Group, Royal HollowayUniversity of LondonLondonUK

Personalised recommendations