Paper 2015/477
Authentication Key Recovery on Galois Counter Mode (GCM)
, Ericsson ResearchAbstract
GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST stan- dardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempt is almost always possible, contradicting the NIST assumptions for short tags. We also provide a complexity estimation of Ferguson’s authentication key recovery method on short tags, and suggest several novel improvements to Fergusons’s attacks that significantly reduce the security level for short tags. We show that for many truncated tag sizes; the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to revise SP 800-38D.
Metadata
- Available format(s)
-
PDF
- Category
- Secret-key cryptography
- Publication info
- Published elsewhere. Minor revision. Progress in Cryptology – AFRICACRYPT 2016
- DOI
- 10.1007/978-3-319-31517-1_7
- Keywords
- Secret-key CryptographyMessage Authentication CodesBlock CiphersCryptanalysisGaloisCounter ModeGCMAuthentication Key RecoveryAES-GCMSuite B
- Contact author(s)
- john mattsson @ ericsson com
- History
- 2024-02-25: last of 4 revisions
- 2015-05-19: received
- See all versions
- Short URL
- https://ia.cr/2015/477
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2015/477,
author = {John Mattsson and Magnus Westerlund},
title = {Authentication Key Recovery on Galois Counter Mode ({GCM})},
howpublished = {Cryptology {ePrint} Archive, Paper 2015/477},
year = {2015},
doi = {10.1007/978-3-319-31517-1_7},
url = {https://eprint.iacr.org/2015/477}
}
