eprint.iacr.org will be offline for approximately an hour for routine maintenance at 11pm UTC on Tuesday, April 16. We lost some data between April 12 and April 14, and some authors have been notified that they need to resubmit their papers.
You are looking at a specific version 20130326:134653 of this paper. See the latest version.

Paper 2013/157

The fragility of AES-GCM authentication algorithm

Shay Gueron and Vlad Krasnov

Abstract

A new implementation of the GHASH function has been recently committed to a Git version of OpenSSL, to speed up AES-GCM. We identified a bug in that implementation, and made sure it was quickly fixed before trickling into an official OpenSSL trunk. Here, we use this (already fixed) bug as a real example that demonstrates the fragility of AES-GCM’s authentication algorithm (GHASH). One might expect that incorrect MAC tag generation would only cause legitimate message-tag pairs to fail authentication (which is already a serious problem). However, since GHASH is a “polynomial evaluation” MAC, the bug can be exploited for actual message forgery.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Unknown where it was published
Keywords
AES-GCMGHASHpolynomial evaluation MACmessage forgeryOpenSSL
Contact author(s)
shay @ math haifa ac il
History
2013-03-26: received
Short URL
https://ia.cr/2013/157
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.