Paper 2024/1111
Collision Attacks on Galois/Counter Mode (GCM)
Abstract
Advanced Encryption Standard in Galois/Counter Mode (AES-GCM) is the most widely used Authenticated Encryption with Associated Data (AEAD) algorithm in the world. In this paper, we analyze the use of GCM with all the Initialization Vector (IV) constructions and lengths approved by NIST SP 800-38D when encrypting multiple plaintexts with the same key. We derive attack complexities in both ciphertext-only and known-plaintext models, with or without nonce hiding, for collision attacks compromising integrity and confidentiality. To facilitate the analysis of GCM with random IVs, we derive a new, simplified equation for near birthday collisions. Our analysis shows that GCM with random IVs provides less than 128 bits of security. When 96-bit IVs are used, as recommended by NIST, the security drops to less than 97 bits. Therefore, we strongly recommend NIST to forbid the use of GCM with 96-bit random nonces.
Metadata
- Available format(s)
- Category
- Secret-key cryptography
- Publication info
- Preprint.
- Keywords
- Secret-key CryptographyBlock CiphersCryptanalysisCollision AttacksAEADMACGCMGMAC
- Contact author(s)
- john mattsson @ ericsson com
- History
- 2024-09-02: last of 5 revisions
- 2024-07-08: received
- See all versions
- Short URL
- https://ia.cr/2024/1111
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/1111, author = {John Preuß Mattsson}, title = {Collision Attacks on Galois/Counter Mode ({GCM})}, howpublished = {Cryptology {ePrint} Archive, Paper 2024/1111}, year = {2024}, url = {https://eprint.iacr.org/2024/1111} }