Security analysis of GCM for communication
Version of Record online: 30 MAY 2013
Copyright © 2013 John Wiley & Sons, Ltd.
Security and Communication Networks
Volume 7, Issue 5, pages 854–864, May 2014
How to Cite
Yap, W.-S., Yeo, S. L., Heng, S.-H. and Henricksen, M. (2014), Security analysis of GCM for communication. Security Comm. Networks, 7: 854–864. doi: 10.1002/sec.798
- Issue online: 11 APR 2014
- Version of Record online: 30 MAY 2013
- Manuscript Accepted: 3 APR 2013
- Manuscript Revised: 13 MAR 2013
- Manuscript Received: 22 NOV 2012
- communication network;
- authenticated encryption;
- message authentication code;
- forgery attack;
- distinguishing attack;
- weak key attack
The Galois/Counter Mode of operations (GCM) is constructed by combining the counter mode encryption and the authentication component (i.e., GTAG) to provide both privacy and authenticity. GTAG can be used as a stand-alone message authentication code. In this paper, we analyze the security of GTAG and GCM with respect to the forgery and distinguishing attacks. More precisely,
We generalize the set of weak key classes proposed by Saarinen in FSE 2012 to include all subsets of nonzero keys. Hence, we remove the condition on the smoothness of 2n − 1, where n denotes the block size, for the existence of weak key classes.
By considering powers of suitable field elements and linearized polynomials, we further exploit some specific weak key classes to present a universal forgery attack on GTAG.
By invoking the birthday paradox arguments, we show that a chosen message attack can be used to distinguish GTAG from a random function.
To relax the assumptions required in the universal forgery attack, we show that we can utilize the uniqueness of the counter mode encryption to launch a known ciphertext attack against GCM itself when the initial vector is restricted to 96 bits.
The first three attacks can be applied to other Wegman–Carter polynomial message authentication codes. Copyright © 2013 John Wiley & Sons, Ltd.