Cryptology ePrint Archive: Report 2015/477

Authentication Key Recovery in Galois/Counter Mode (GCM)

John Mattsson

Abstract: GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers. In this paper we suggest several novel improvements to Fergusons’s authentication key recovery method and show that for many truncated tag sizes, the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to make a revision of SP 800-38D.

Category / Keywords: secret-key cryptography / Secret-key Cryptography, Message Authentication Codes, Block Ciphers, Cryptanalysis, Galois/Counter Mode, GCM, Authentication Key Recovery, AES-GCM, Suite B

Date: received 19 May 2015

Contact author: john mattsson at ericsson com

Available format(s): PDF | BibTeX Citation

Version: 20150519:210552 (All versions of this report)

Short URL: ia.cr/2015/477

Discussion forum: Show discussion | Start new discussion