In this chapter, we have revisited the provable security of GCM, and provided a practical method to fix GCM with non-96-bit nonces, in order to avoid the flaw of security proofs discovered by Iwata et al. This method can improve the overall security bounds of GCM by a factor of about 220. We have also presented security proofs for the revised mode of operation, namely LGCM, and alternative implementations of LGCM that are useful for thwarting timing-based side-channel attacks.
Due to the important role of GCM in various encryption and authentication protocols, such as TLS v1.2, IEEE 802.1AE and IPsec, we recommend that GCM is only used with 96-bit nonces. For instance, a variant of GCM has been introduced by Aoki and Yasuda in [9], which only accepts a fixed-length nonce. Our revised design LGCM is recommended if certain application scenarios prefer using non-96-bit nonces. In the current standard about GCM used in TLS [34], a portion of the nonce is generated by applying HMAC to certain handshake information. It is applicable to choose session-specific non-repeating data in TLS, including the handshake information, as the nonce used for LGCM.
Chapter 3
Forgery Attacks and Weak Keys of
Polynomial-Based MAC Algorithms
This chapter analyzes polynomial-based MAC algorithms. As we have described in Sec- tion 2.1.1, the MAC algorithm used in GCM is a polynomial-based design. Firstly, Sec- tion 3.1 gives the background knowledge about several existing attacks on polynomial- based MAC algorithms. Secondly, Section 3.2 presents our improved forgery attacks on polynomial-based MAC schemes, and Section 3.3 studies the weak key classes of GCM- like MAC schemes. Section 3.4 shows how to turn these forgery attacks on GCM into birthday attacks to improve their success probabilities. The attacks on a revised version of GCM in the MAC-then-Enc paradigm are discussed in Section 3.5. Finally, the last section summarizes this chapter.
3.1
Preliminaries
This section gives the background knowledge about polynomial-based MAC algorithms and describes several existing attacks on them. Notations in this chapter follow the ones defined in Section 2.1.
For simplicity, in the context of GCM, the associated data A, the plaintext P and the ciphertext C are considered to be multiples of 128 bits, and the nonce N to be a multiple of 128 bits if N is not 96-bit, such that all inputs do not need to be padded. If not stated explicitly, A is regarded as an empty bit-string.
Furthermore, following the notation in [100], the indices of input blocks are reversed, e.g., P = Pn||Pn−1|| · · · ||P1 instead of P = P1||P2|| · · · ||Pn, for convenience of polynomial
representations.
3.1.1
Polynomial-Based MAC Algorithms
As mentioned in the previous chapter, the Galois/Counter Mode (GCM) is an authenti- cated encryption with associated data (AEAD) mode, which is adopted in many important cryptographic schemes and protocols. The designs of GMAC and GHASH in GCM are based on the evaluation hash [115].
Let F be a finite field of characteristic 2, H ∈ F be the authentication key, and M = Mm||Mm−1|| · · · ||M1 be a message to be authenticated, where Mi ∈ F. Define a polynomial
gM(x) ∈ F[x] as gM(x) = m X i=1 Mixi.
Then the function hH(M ) = gM(H) is called the evaluation hash. The hash function
outputs are masked by block cipher encryptions to produce the authentication tags, in the ways such as EK(N ) ⊕ hH(M ) and EK(hH(M )). Poly1305 [20], and the MAC schemes in GCM and SGCM [107] are all within this framework.
3.1.2
Existing Attacks on Polynomial-Based MAC Algorithms
Procter and Cid have studied the weak key classes and forgery attacks of polynomial- based MAC schemes, including the one used in GCM [100]. They have provided a more general model upon Saarinen’s cycling attack [107]. We summarize the main observation by Procter and Cid in [100] as follows. We include a short proof of their result, as it is the fundamental for our discussions in the subsequent sections.
Result 3.1 ([100]). With the same notations as the ones in Section 3.1.1, if there exists a polynomial f (x) ∈ F[x] without a constant term, such that f (H) = 0, then forgeries of MAC schemes based on the evaluation hash hH(x) can be made by using f (x).
Proof. Assume f (x) = n X i=1 Fixi,
and F = Fn||Fn−1|| · · · ||F1. Given a message M , we have
hH(M ⊕ F ) = gM ⊕F(H) = gM(H) ⊕ f (H) = gM(H) = hH(M ),
where the shorter one of M and F in M ⊕F is left-padded with zeros. We obtain a collision on the evaluation hash, and thus a forgery of the MAC scheme.
If GCM is the attack target, after obtaining a valid tuple (N, C, T ) by eavesdropping or active querying, adversaries query the verification oracle about (N, C ⊕ F, T ). If the result is not FAIL, then a valid MAC is forged. Please note that the polynomial f (x) always has x as its factor, and is in the ideal hx2⊕ Hxi of the polynomial ring F[x].
For an unknown H, the success probability of MAC forgeries is directly related to the choice of f (x). Procter and Cid have proposed three ways to select f (x): (1) The first way is to use f (x) = xQ
i(x ⊕ Hi) to involve as many Hi as desired; (2) The second way
is based on irreducible factors of x2128 ⊕ x, which includes Saarinen’s cycling attack as a special case; (3) The third is just using random polynomials.
Moreover, based on these analyses, Procter and Cid point out that almost any subset of the authentication key space of these polynomial-based MAC schemes is a weak key class. Analysis of a cryptographic algorithm’s weak keys is a very important assessment. Handschuh and Preneel have given a theoretical definition of weak keys for symmetric- key cryptosystems in [60]: “A class of keys is called weak if for members of the class the algorithm behaves in an unexpected way and if it is easy to detect whether a particular key belongs to this class.” For example, for a MAC algorithm, the unexpected behavior may be that MAC forgeries can be made in a very high probability. Moreover, to determine whether a key is in the class K, the number of queries has to be fewer than the exhaustive search’s, i.e., |K|.
Result 3.2 ([100]). Let H be a subset of the authentication key space of the MAC scheme based on the evaluation hash. If |H| ≥ 2 and 0 ∈ H, or |H| ≥ 3, then H is weak.
Proof. If |H| ≥ 2 and 0 ∈ H, one query forged by f (x) = xQ
i(x ⊕ Hi) can be fed into
the verification oracle, where Hi ∈ H. To further determine whether 0 is in the set H, two
queries by distinct f (x) ∈ hx2⊕ Hxi have to be made, so all elements in a subset |H| ≥ 3 can be detected by using two queries.