An integrity check value algorithm for stream ciphers
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
On families of hash functions via geometric codes and concatenation
CRYPTO '93 Proceedings of the 13th annual international cryptology conference on Advances in cryptology
Keying Hash Functions for Message Authentication
CRYPTO '96 Proceedings of the 16th Annual International Cryptology Conference on Advances in Cryptology
New classes and applications of hash functions
SFCS '79 Proceedings of the 20th Annual Symposium on Foundations of Computer Science
Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms
CRYPTO 2008 Proceedings of the 28th Annual conference on Cryptology: Advances in Cryptology
A trade-off between collision probability and key size in universal hashing using polynomials
Designs, Codes and Cryptography
The Poly1305-AES message-authentication code
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Stronger security bounds for wegman-carter-shoup authenticators
EUROCRYPT'05 Proceedings of the 24th annual international conference on Theory and Applications of Cryptographic Techniques
An improved algorithm for computing logarithms over and its cryptographic significance (Corresp.)
IEEE Transactions on Information Theory
SMSCrypto: A lightweight cryptographic framework for secure SMS transmission
Journal of Systems and Software
The weakness of integrity protection for LTE
Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks
| Hi-index | 0.00 |
The Galois/Counter Mode (GCM) of operation has been standardized by NIST to provide single-pass authenticated encryption. The GHASH authentication component of GCM belongs to a class of Wegman-Carter polynomial hashes that operate in the field GF(2128). We present message forgery attacks that are made possible by its extremely smooth-order multiplicative group which splits into 512 subgroups. GCM uses the same block cipher key K to both encrypt data and to derive the generator H of the authentication polynomial for GHASH. In present literature, only the trivial weak key H=0 has been considered. We show that GHASH has much wider classes of weak keys in its 512 multiplicative subgroups, analyze some of their properties, and give experimental results on AES-GCM weak key search. Our attacks can be used not only to bypass message authentication with garbage but also to target specific plaintext bits if a polynomial MAC is used in conjunction with a stream cipher. These attacks can also be applied with varying efficiency to other polynomial hashes and MACs, depending on their field properties. Our findings show that especially the use of short polynomial-evaluation MACs should be avoided if the underlying field has a smooth multiplicative order.