Wun-She YapSze Ling YeoSwee‐Huay HengMatt Henricksen2024-11-112024-11-112013-05-30http://onlinelibrary.wiley.com/doi/10.1002/sec.798https://dspace-cris.utar.edu.my/handle/123456789/6546<jats:title>ABSTRACT</jats:title><jats:p>The Galois/Counter Mode of operations (GCM) is constructed by combining the counter mode encryption and the authentication component (i.e., GTAG) to provide both privacy and authenticity. GTAG can be used as a stand‐alone message authentication code. In this paper, we analyze the security of GTAG and GCM with respect to the forgery and distinguishing attacks. More precisely, <jats:list> <jats:list-item><jats:p>We generalize the set of weak key classes proposed by Saarinen in FSE 2012 to include all subsets of nonzero keys. Hence, we remove the condition on the smoothness of 2<jats:sup><jats:italic>n</jats:italic></jats:sup> − 1, where <jats:italic>n</jats:italic> denotes the block size, for the existence of weak key classes.</jats:p></jats:list-item> <jats:list-item><jats:p>By considering powers of suitable field elements and linearized polynomials, we further exploit some specific weak key classes to present a universal forgery attack on GTAG.</jats:p></jats:list-item> <jats:list-item><jats:p>By invoking the birthday paradox arguments, we show that a chosen message attack can be used to distinguish GTAG from a random function.</jats:p></jats:list-item> <jats:list-item><jats:p>To relax the assumptions required in the universal forgery attack, we show that we can utilize the uniqueness of the counter mode encryption to launch a known ciphertext attack against GCM itself when the initial vector is restricted to 96 bits.</jats:p></jats:list-item></jats:list></jats:p><jats:p>The first three attacks can be applied to other Wegman–Carter polynomial message authentication codes. Copyright © 2013 John Wiley &amp; Sons, Ltd.</jats:p>journal-article