Paper 2024/1111

Collision Attacks on Galois/Counter Mode (GCM)

John Preuß Mattsson, Ericsson Research
Abstract

Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) is the most widely used Authenticated Encryption with Associated Data (AEAD) algorithm in the world. In this paper, we analyze the use of GCM with all the Initialization Vector (IV) constructions and lengths approved by NIST SP 800-38D when encrypting multiple plaintexts with the same key. We derive attack complexities in both ciphertext-only and known-plaintext models, with or without nonce hiding, for collision attacks compromising integrity and confidentiality. To facilitate the analysis of GCM with random IVs, we derive a new, simplified equation for near birthday collisions. Our analysis shows that GCM with random IVs provides less than 128 bits of security. When 96-bit IVs are used, as recommended by NIST, the security drops to less than 97 bits. Therefore, we strongly recommend NIST to forbid the use of GCM with 96-bit random nonces.

Metadata
Available format(s)
PDF
Category
Secret-key cryptography
Publication info
Preprint.
Keywords
Secret-key CryptographyBlock CiphersCryptanalysisCollision AttacksAEADMACGCMGMAC
Contact author(s)
john mattsson @ ericsson com
History
2024-09-02: last of 5 revisions
2024-07-08: received
See all versions
Short URL
https://ia.cr/2024/1111
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2024/1111,
      author = {John Preuß Mattsson},
      title = {Collision Attacks on Galois/Counter Mode ({GCM})},
      howpublished = {Cryptology {ePrint} Archive, Paper 2024/1111},
      year = {2024},
      url = {https://eprint.iacr.org/2024/1111}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.