Paper 2013/157

The fragility of AES-GCM authentication algorithm

Shay Gueron and Vlad Krasnov

Abstract

A new implementation of the GHASH function has been recently committed to a Git version of OpenSSL, to speed up AES-GCM. We identified a bug in that implementation, and made sure it was quickly fixed before trickling into an official OpenSSL trunk. Here, we use this (already fixed) bug as a real example that demonstrates the fragility of AES-GCM’s authentication algorithm (GHASH). One might expect that incorrect MAC tag generation would only cause legitimate message-tag pairs to fail authentication (which is already a serious problem). However, since GHASH is a “polynomial evaluation” MAC, the bug can be exploited for actual message forgery.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Unknown where it was published
Keywords
AES-GCMGHASHpolynomial evaluation MACmessage forgeryOpenSSL
Contact author(s)
shay @ math haifa ac il
History
2013-03-26: received
Short URL
https://ia.cr/2013/157
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2013/157,
      author = {Shay Gueron and Vlad Krasnov},
      title = {The fragility of AES-GCM authentication algorithm},
      howpublished = {Cryptology ePrint Archive, Paper 2013/157},
      year = {2013},
      note = {\url{https://eprint.iacr.org/2013/157}},
      url = {https://eprint.iacr.org/2013/157}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.