Paper 2015/477

Authentication Key Recovery on Galois Counter Mode (GCM)

John Mattsson and Magnus Westerlund


GCM is used in a vast amount of security protocols and is quickly becoming the de facto mode of operation for block ciphers due to its exceptional performance. In this paper we analyze the NIST stan- dardized version (SP 800-38D) of GCM, and in particular the use of short tag lengths. We show that feedback of successful or unsuccessful forgery attempt is almost always possible, contradicting the NIST assumptions for short tags. We also provide a complexity estimation of Ferguson’s authentication key recovery method on short tags, and suggest several novel improvements to Fergusons’s attacks that significantly reduce the security level for short tags. We show that for many truncated tag sizes; the security levels are far below, not only the current NIST requirement of 112-bit security, but also the old NIST requirement of 80-bit security. We therefore strongly recommend NIST to revise SP 800-38D.

Available format(s)
Secret-key cryptography
Publication info
Published elsewhere. MINOR revision.Progress in Cryptology – AFRICACRYPT 2016
Secret-key CryptographyMessage Authentication CodesBlock CiphersCryptanalysisGaloisCounter ModeGCMAuthentication Key RecoveryAES-GCMSuite B
Contact author(s)
john mattsson @ ericsson com
2016-04-19: last of 2 revisions
2015-05-19: received
See all versions
Short URL
Creative Commons Attribution


      author = {John Mattsson and Magnus Westerlund},
      title = {Authentication Key Recovery on Galois Counter Mode (GCM)},
      howpublished = {Cryptology ePrint Archive, Paper 2015/477},
      year = {2015},
      doi = {10.1007/978-3-319-31517-1_7},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.