Cryptology ePrint Archive: Report 2015/477

Authentication Key Recovery on Galois Counter Mode (GCM)

John Mattsson, Magnus Westerlund

Abstract: GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST stan- dardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempt is almost always possible, contradicting the NIST assumptions for short tags. We also provide a complexity estimation of Fergusonís authentication key recovery method on short tags, and suggest several novel improvements to Fergusonsís attacks that significantly reduce the security level for short tags. We show that for many truncated tag sizes; the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to revise SP 800-38D.

Category / Keywords: secret-key cryptography / Secret-key Cryptography, Message Authentication Codes, Block Ciphers, Cryptanalysis, Galois/Counter Mode, GCM, Authentication Key Recovery, AES-GCM, Suite B

Original Publication (with minor differences): Progress in Cryptology Ė AFRICACRYPT 2016

Date: received 19 May 2015, last revised 19 Apr 2016

Contact author: john mattsson at ericsson com

Available format(s): PDF | BibTeX Citation

Version: 20160419:162323 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]