Options
Security analysis of GCM for communication
Journal
Security and Communication Networks
ISSN
1939-0114
Date Issued
2013-05-30
Author(s)
Sze Ling Yeo
Swee‐Huay Heng
Matt Henricksen
DOI
http://onlinelibrary.wiley.com/doi/10.1002/sec.798
Abstract
<jats:title>ABSTRACT</jats:title><jats:p>The Galois/Counter Mode of operations (GCM) is constructed by combining the counter mode encryption and the authentication component (i.e., GTAG) to provide both privacy and authenticity. GTAG can be used as a stand‐alone message authentication code. In this paper, we analyze the security of GTAG and GCM with respect to the forgery and distinguishing attacks. More precisely,
<jats:list>
<jats:list-item><jats:p>We generalize the set of weak key classes proposed by Saarinen in FSE 2012 to include all subsets of nonzero keys. Hence, we remove the condition on the smoothness of 2<jats:sup><jats:italic>n</jats:italic></jats:sup> − 1, where <jats:italic>n</jats:italic> denotes the block size, for the existence of weak key classes.</jats:p></jats:list-item>
<jats:list-item><jats:p>By considering powers of suitable field elements and linearized polynomials, we further exploit some specific weak key classes to present a universal forgery attack on GTAG.</jats:p></jats:list-item>
<jats:list-item><jats:p>By invoking the birthday paradox arguments, we show that a chosen message attack can be used to distinguish GTAG from a random function.</jats:p></jats:list-item>
<jats:list-item><jats:p>To relax the assumptions required in the universal forgery attack, we show that we can utilize the uniqueness of the counter mode encryption to launch a known ciphertext attack against GCM itself when the initial vector is restricted to 96 bits.</jats:p></jats:list-item></jats:list></jats:p><jats:p>The first three attacks can be applied to other Wegman–Carter polynomial message authentication codes. Copyright © 2013 John Wiley & Sons, Ltd.</jats:p>
<jats:list>
<jats:list-item><jats:p>We generalize the set of weak key classes proposed by Saarinen in FSE 2012 to include all subsets of nonzero keys. Hence, we remove the condition on the smoothness of 2<jats:sup><jats:italic>n</jats:italic></jats:sup> − 1, where <jats:italic>n</jats:italic> denotes the block size, for the existence of weak key classes.</jats:p></jats:list-item>
<jats:list-item><jats:p>By considering powers of suitable field elements and linearized polynomials, we further exploit some specific weak key classes to present a universal forgery attack on GTAG.</jats:p></jats:list-item>
<jats:list-item><jats:p>By invoking the birthday paradox arguments, we show that a chosen message attack can be used to distinguish GTAG from a random function.</jats:p></jats:list-item>
<jats:list-item><jats:p>To relax the assumptions required in the universal forgery attack, we show that we can utilize the uniqueness of the counter mode encryption to launch a known ciphertext attack against GCM itself when the initial vector is restricted to 96 bits.</jats:p></jats:list-item></jats:list></jats:p><jats:p>The first three attacks can be applied to other Wegman–Carter polynomial message authentication codes. Copyright © 2013 John Wiley & Sons, Ltd.</jats:p>
File(s)
Loading...
Name
Picture1.png
Type
personal picture
Size
3.11 KB
Format
PNG
Checksum
(MD5):21881560e0c3c9c06b18c6e8fdc11acf