You are looking at a specific version 20130326:134653 of this paper.
See the latest version.
Paper 2013/157
The fragility of AES-GCM authentication algorithm
Shay Gueron and Vlad Krasnov
Abstract
A new implementation of the GHASH function has been recently committed to a Git version of OpenSSL, to speed up AES-GCM. We identified a bug in that implementation, and made sure it was quickly fixed before trickling into an official OpenSSL trunk. Here, we use this (already fixed) bug as a real example that demonstrates the fragility of AES-GCM’s authentication algorithm (GHASH). One might expect that incorrect MAC tag generation would only cause legitimate message-tag pairs to fail authentication (which is already a serious problem). However, since GHASH is a “polynomial evaluation” MAC, the bug can be exploited for actual message forgery.
Metadata
- Available format(s)
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- AES-GCMGHASHpolynomial evaluation MACmessage forgeryOpenSSL
- Contact author(s)
- shay @ math haifa ac il
- History
- 2013-03-26: received
- Short URL
- https://ia.cr/2013/157
- License
-
CC BY