Cryptology ePrint Archive: Report 2012/438

Breaking and Repairing GCM Security Proofs

Tetsu Iwata and Keisuke Ohashi and Kazuhiko Minematsu

Abstract: In this paper, we study the security proofs of GCM (Galois/Counter Mode of Operation). We first point out that a lemma, which is related to the upper bound on the probability of a counter collision, is invalid. Both the original privacy and authenticity proofs by the designers are based on the lemma. We further show that the observation can be translated into a distinguishing attack that invalidates the main part of the privacy proof. It turns out that the original security proofs of GCM contain a flaw, and hence the claimed security bounds are not justified. A very natural question is then whether the proofs can be repaired. We give an affirmative answer to the question by presenting new security bounds, both for privacy and authenticity. As a result, although the security bounds are larger than what were previously claimed, GCM maintains its provable security. We also show that, when the nonce length is restricted to 96 bits, GCM has better security bounds than a general case of variable length nonces.

Category / Keywords: secret-key cryptography / GCM, counter-example, distinguishing attack, proof of security

Publication Info: A preliminary version appears in the proceedings of CRYPTO 2012. This is the full version.

Date: received 1 Aug 2012

Contact author: iwata at cse nagoya-u ac jp

Available format(s): PDF | BibTeX Citation

Version: 20120805:175128 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]