### Authentication Key Recovery on Galois Counter Mode (GCM)

John Mattsson and Magnus Westerlund

##### Abstract

GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST stan- dardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempt is almost always possible, contradicting the NIST assumptions for short tags. We also provide a complexity estimation of Ferguson’s authentication key recovery method on short tags, and suggest several novel improvements to Fergusons’s attacks that significantly reduce the security level for short tags. We show that for many truncated tag sizes; the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to revise SP 800-38D.

Available format(s)
Category
Secret-key cryptography
Publication info
Published elsewhere. MINOR revision.Progress in Cryptology – AFRICACRYPT 2016
DOI
10.1007/978-3-319-31517-1_7
Keywords
Secret-key CryptographyMessage Authentication CodesBlock CiphersCryptanalysisGaloisCounter ModeGCMAuthentication Key RecoveryAES-GCMSuite B
Contact author(s)
john mattsson @ ericsson com
History
2016-04-19: last of 2 revisions
See all versions
Short URL
https://ia.cr/2015/477

CC BY

BibTeX

@misc{cryptoeprint:2015/477,
author = {John Mattsson and Magnus Westerlund},
title = {Authentication Key Recovery on Galois Counter Mode (GCM)},
howpublished = {Cryptology ePrint Archive, Paper 2015/477},
year = {2015},
doi = {10.1007/978-3-319-31517-1_7},
note = {\url{https://eprint.iacr.org/2015/477}},
url = {https://eprint.iacr.org/2015/477}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.