Breaking and Repairing GCM Security Proofs

In this paper, we study the security proofs of GCM Galois/Counter Mode of Operation. We first point out that a lemma, which is related to the upper bound on the probability of a counter collision, is invalid. Both the original privacy and authenticity proofs by the designers are based on the lemma. We further show that the observation can be translated into a distinguishing attack that invalidates the main part of the privacy proof. It turns out that the original security proofs of GCM contain a flaw, and hence the claimed security bounds are not justified. A very natural question is then whether the proofs can be repaired. We give an affirmative answer to the question by presenting new security bounds, both for privacy and authenticity. As a result, although the security bounds are larger than what were previously claimed, GCM maintains its provable security. We also show that, when the nonce length is restricted to 96 bits, GCM has better security bounds than a general case of variable length nonces.

[1]  Markku-Juhani O. Saarinen Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes , 2012, FSE.

[2]  Abhijit Choudhury,et al.  AES Galois Counter Mode (GCM) Cipher Suites for TLS , 2008, RFC.

[3]  David A. McGrew,et al.  An Interface and Algorithms for Authenticated Encryption , 2008, RFC.

[4]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[5]  Annett Baier Selected Areas in Cryptography , 2005, Lecture Notes in Computer Science.

[6]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[7]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[8]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[9]  G. Leurent ARXtools : A toolkit for ARX analysis , 2012 .

[10]  Daniel J. Bernstein Stronger security bounds for permutations , .

[11]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode of Operation (Full Version) , 2004, IACR Cryptol. ePrint Arch..

[12]  D. McGrew,et al.  The Galois/Counter Mode of Operation (GCM) , 2005 .

[13]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[14]  Gaëtan Leurent,et al.  Practical Near-Collisions on the Compression Function of BMW , 2011, FSE.

[15]  Bart Preneel,et al.  The Differential Analysis of S-Functions , 2010, Selected Areas in Cryptography.

[16]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[17]  N. Ferguson Authentication weaknesses in GCM , 2005 .

[18]  Jerome A. Solinas,et al.  AES Galois Counter Mode for the Secure Shell Transport Layer Protocol , 2009, RFC.

[19]  Russ Housley,et al.  Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS) , 2007, RFC.

[20]  Bart Preneel,et al.  Key-Recovery Attacks on Universal Hash Function Based MAC Algorithms , 2008, CRYPTO.

[21]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[22]  John Viega,et al.  The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP) , 2005, RFC.

[23]  Ignacio Gonzalez Torrego Study of the IEEE Standard 1619.1: Authenticated Encryption with Length Expansion for Storage Devices , 2009 .

[24]  A. Joux Authentication Failures in NIST version of GCM , 2006 .