The Galois/Counter Mode of operations (GCM) is constructed by combining the counter mode encryption and the authentication component (i.e., GTAG) to provide both privacy and authenticity. GTAG can be used as a stand-alone message authentication code. In this paper, we analyze the security of GTAG and GCM with respect to the forgery and distinguishing attacks. More precisely,
We generalize the set of weak key classes proposed by Saarinen in FSE 2012 to include all subsets of nonzero keys. Hence, we remove the condition on the smoothness of 2n − 1, where n denotes the block size, for the existence of weak key classes.
By considering powers of suitable field elements and linearized polynomials, we further exploit some specific weak key classes to present a universal forgery attack on GTAG.
By invoking the birthday paradox arguments, we show that a chosen message attack can be used to distinguish GTAG from a random function.
To relax the assumptions required in the universal forgery attack, we show that we can utilize the uniqueness of the counter mode encryption to launch a known ciphertext attack against GCM itself when the initial vector is restricted to 96 bits.
The first three attacks can be applied to other Wegman–Carter polynomial message authentication codes. Copyright © 2013 John Wiley & Sons, Ltd.