1 Introduction

The study of Cid, Carlos information-theoretic message authentication codes and universal hashing was initiated by Gilbert et al. [14] and Carter and Wegman [10, 11, 38, 39]. Universal hash functions can be used to construct message authentication codes in both the information-theoretically secure and computationally secure settings (see [9, 39]). Simmons [33] provides a general summary of the theory of unconditionally secure message authentication. Bernstein [2, 3] provides a thorough description of the geneology and more recent literature of unconditionally secure message authentication, including a description of the contributions of Bierbrauer et al. [5], den Boer [12], and Taylor [36] to polynomial-based hashing. Bernstein [4] also gives an interesting overview of the security of universal hash function based MACs in the computationally secure setting. Shoup [32] describes several methods for realising universal hash function families that are related to polynomials including the evaluation hash [5, 12, 36] which is a variant of the division hash or cryptographic CRC of Krawczyk [21] (itself a variant of Rabin’s fingerprinting codes [27]).

In this paper, we focus on message authentication codes constructed from universal hash functions that are realised by polynomial evaluation. These are widely used and standardised; for examples see [2, 13, 17, 20, 22, 31]. McGrew and Viega’s Galois/Counter Mode (GCM) [26] is the most widely deployed polynomial-based scheme. The algorithm is generally assumed to be secure, with a small number of papers containing attacks against the authentication component via the universal hash function: Ferguson’s attack against truncated GCM tags [15], demonstrating that the security of short tags is significantly lower than would be expected; Joux’s ‘forbidden attack’ [19], illustrating the brittleness of GCM under nonce reuse; Handschuh and Preneel’s [16] extension to Joux’s attack [16]; and Saarinen’s cycling attacks [29], which highlight a weakness due to the underlying algebraic structure of a hash function based on polynomial evaluation. Both Handschuh and Preneel [16] and Saarinen [29] have described classes of weak keys for polynomial evaluation based universal hash functions, with Saarinen particularly focusing on GCM.

Contributions. A motivation of this work was the observation that all existing attacks against GCM are algebraic in nature, and in fact seem to exploit a fundamental underlying algebraic structure of the polynomial-based hash function. The contributions of this paper are to identify and study some of the properties of hash functions based on polynomial evaluation that are the result of this underlying algebraic structure. As a result, we are able to describe a general forgery attack, of which Saarinen’s cycling attack is a special case; our attack can however be used with short messages, applies regardless of the field in which the hash is evaluated, and facilitates length extension attacks against GCM. Furthermore, we provide a common description of all published attacks against GCM by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. Finally, we greatly expand the number of known weak GCM keys, and show that almost every subset of the keyspace is a weak key class. We note that the attacks presented in this paper do not in any way contradict the security bounds for GCM given by McGrew and Viega [24]. However the algebraic properties (and related attacks) discussed in this paper appear to be an inherent feature of polynomial-based authentication schemes and therefore should be considered in the security assessment of new schemes and extensions of existing ones.

Structure. This paper is structured as follows. In Sect. 2 we introduce the notation that will be used throughout this paper and provide a brief description of the syntax and security of message authentication codes. In Sect. 3 we give a basic overview of three schemes that use hash functions based on polynomial evaluation for message authentication, including GCM and SGCM. In Sect. 4 we describe the main technique used in this paper for the cryptanalysis of polynomial-based authentication schemes and discuss some features of the resulting attack that make it more interesting than cycling attacks. Section 5 contains a common description of the existing attacks against GCM. In Sect. 6 we show that there are many more weak key classes for hash functions based on polynomial evaluation than have previously been described and suggest a method to realise a key recovery attack against polynomial-based hash function schemes. Section 7 contains a discussion of the consequences of this attack.

2 Preliminaries

2.1 Notation

We consider a message \(M_{}\) parsed as \({M_{}}_{1} {||} \dots {||} {M_{}}_{m}\), where each \(M_{i}\) is \(n\) bits long and \(||\) represents concatenation of strings. In the syntax of authenticated encryption with associated data [28], this message consists of associated data \(A_{}\in \mathcal {A}\) that is authenticated but not encrypted and plaintext \(P_{}\in \mathcal {P}\) that will be encrypted and authenticated.

A family of hash functions will be denoted \(\mathcal {H}= \left\{ h_{H_{}}: \{0,1\}^\star \rightarrow \{0,1\}^{n}\mid H_{}\in \right. \) \(\left. \mathcal {K}_{\mathcal {H}} \right\} \) with each hash function \(h_{H_{}}\) indexed by a key \(H_{}\in \mathcal {K}_{\mathcal {H}}\). A block cipher \(E_{}\) is a family of permutations on \(\{0,1\}^n\), with each permutation indexed by a key \(k_{}\in \mathcal {K}_{E_{}}\). The application of a block cipher to input \(x \in \{0,1\}^n\) using key \(k_{}\) will be denoted by \(E_{k}(x)\). Where a nonce is used it will be denoted by \(N_{}\).

A finite field will be denoted by \(\mathbb {K}\) unless the order of the field has particular relevance, in which case it will be denoted by \(\mathbb {F}_{p^r}\) with \(|\mathbb {F}_{}| = p^r\). The multiplicative group of a field \(\mathbb {K}\) will be denoted by \(\mathbb {K}^\star \).

2.2 Universal Hash Functions

A family of hash functions is said to be \(\epsilon \)\(almost\) \(\oplus \) universal if for every \(M_{}, M_{}^\prime \in \{0,1\}^\star \) with \(M_{}\ne M_{}^\prime \) and for every \(c \in \{0,1\}^n\), \(\text {Pr}_{H_{}\in \mathcal {K}_{\mathcal {H}}} \left[ h_{H_{}} (M_{}) \oplus h_{H_{}}(M_{}^\prime ) = c \right] < \epsilon \). Throughout this paper \(\epsilon \)–almost \(\oplus \) universal will be abbreviated to \(\epsilon \)–AXU. This condition was introduced by Krawczyk [21] under the name \(\epsilon \)\(OTP\)\(Secure\) as it is a necessary and sufficient condition for unconditional MAC security when the output of the hash function is encrypted with the one time pad in a field of characteristic 2. In this paper we will generally refer to \(\epsilon \)–AXU hash function families; however any remark made that requires an \(\epsilon \)–AXU hash function family in characteristic 2 will also hold for an \(\epsilon \)–almost strongly universal [34] or \(\epsilon \)–almost \(\varDelta \) universal  [35] hash function family in any finite field.

A polynomial based hash function family is a common way to realise an \(\epsilon \)–AXU hash function family. Shoup [32] describes several examples of this type of construction; the main example of interest to this paper is the evaluation hash. In the case of the evaluation hash the message \(M_{}\) determines a polynomial \(g_{M_{}} = \sum _{i=1}^m{M_{i} x^i} \in \mathbb {K}[x]\), where \(M_{}= {M_{}}_{1} {||} \dots {||} {M_{}}_{m}\) with each \(M_{i} \in \mathbb {K}\). The hash key is an element \(H_{}\in \mathbb {K}\) and we define the hash function by \(h_{H_{}}(M_{}) = g_{M_{}}(H_{})\).

There are several methods for turning a universal hash function into a message authentication code (see [9, 39] for early examples). The two most common methods are \(E_{k_{}}(N_{}) + h_{H_{}}(M_{})\) and \(E_{k_{}}(h_{H_{}}(M_{}))\).

2.3 Syntax

We will follow Black et al. [8] for a description of the syntax of nonce-based message authentication schemes. A message authentication scheme is a pair of algorithms, \(\mathsf {Gen}\) and \(\mathsf {MAC}_{}\), with four associated sets: \(\mathcal {K}_{}\), the set of possible keys; \(\mathcal {M}\), the message space; \(\mathcal {N}\), the set of nonces and \(\mathcal {T}\), the set of possible authentication tags.

The key generation algorithm \(\mathsf {Gen}\) takes as input the security parameter and probabilistically outputs the shared key \(k_{}\in \mathcal {K}_{}\). The algorithm \(\mathsf {MAC}_{}\) takes as input a key \(k_{}\in \mathcal {K}_{}\), a nonce \(N_{}\in \mathcal {N}\), and a message \(M_{}\in \mathcal {M}\) and outputs a tag \(T_{}\in \mathcal {T}\). The authenticity of a tuple (\(N_{}, M_{}, T_{}\)) is verified by computing \(\mathsf {MAC}_{}(k_{}, N_{}, M_{})\): if \(T_{}= \mathsf {MAC}_{}(k_{},N_{},M_{})\) then the tag is valid, otherwise it is invalid.

2.4 Security

An adversary attacking a message authentication scheme is given access to two oracles: a tag generation oracle \(\mathcal {S}\) and a verification oracle \(\mathcal {V}\). At the beginning of the experiment \(\mathsf {Gen}\) is run to obtain \(k_{}\), then \(\mathsf {MAC}_{}\) takes queries \((N_{}, M_{})\) and returns \(\mathsf {MAC}_{}(k_{}, N_{}, M_{})\). The verification oracle takes queries \((N_{}, M_{}, T_{})\) and returns 1 if \(T_{}= \mathsf {MAC}_{}(k_{}, N_{}, M_{})\) or 0 otherwise. An adversary is said to successfully forge an authentication tag if they can produce a verification query \((N_{}, M_{}, T_{})\) so that \(\mathcal {V}\) returns 1 when \(( N_{}, M_{})\) was not previously queried to \(\mathcal {S}\).

A common restriction of this security notion is to nonce-respecting adversaries where, although the adversary can control the nonce, they never query \(\mathcal {S}\) for \((N_{}, M_{}^\prime )\) if they have previously queried \(\mathcal {S}\) for \((N_{}, M_{})\).

McGrew and Viega [24], Ferguson [15], and Handschuh and Preneel [16] all assert that the probability of creating a valid (non-truncated) tag having seen a single valid (message, tag) pair is approximately \({m}/|\mathbb {K}|\) where the polynomial is evaluated in \(\mathbb {K}\) and \(m\) is the length of message that the construction operates on. It is worth emphasising that in this context, \(m\) is the maximum permissable message length. This is included in the original paper [24] but is not made explicitly clear in the later papers [15, 16]. In this paper we will demonstrate the importance of this distinction via a method of forging GCM tags using a longer message than the one that was given in the valid (message, tag) pair from the tag generation oracle.

Throughout this paper we will focus on GCM for concreteness however the majority of the comments apply equally to any other hash function based on polynomial evaluation. Most of the results in this paper apply equally to both common constructions of MACs from universal hash functions, either \(T_{}= E_{k_{}}(N_{}) + h_{H_{}}(M_{})\) or \(T_{}= E_{k_{}}(h_{H_{}}(M_{}))\), as our results are based on collisions in the hash function. Where necessary it will be made clear that a remark is dependent on one of these general constructions or the specific structure of GCM.

3 Polynomial-Based Authentication Schemes

We present below a brief description of some of the main authentication schemes based on polynomial evaluation hash functions that are of relevance to our work.

3.1 Galois/Counter Mode

Galois/Counter Mode (GCM) is an AEAD scheme submitted to NIST by McGrew and Viega in 2004, with the specification slightly revised in 2005 [26] (although the revision contained ‘no normative changes [from the 2004 specification]’). GCM combines counter mode encryption with a polynomial evaluation based MAC following the Encrypt–then–MAC paradigm, although the authentication key is derived from the block cipher key.

AES–GCM encryption takes as input: a key \(k_{}\), an initialisation vector \(\mathsf {IV}\) (the nonce), plaintext \(P_{}= {P_{}}_{1} {||} \dots {||} {P_{}}_{p}\) and additional data \(A_{}= {A_{}}_{1} {||} \dots {||} {A_{}}_{a}\). The key is 128, 192 or 256 bits long; the \(\mathsf {IV}\) should preferably be 96 bits long although any length is supported (see [18]); and for each \(i\), \(|P_{i}| = |A_{i}| = 128\) except for perhaps a partial final block. With this input, AES–GCM returns a ciphertext \(C_{}= {C_{}}_{1} {||} \dots {||} {C_{}}_{p}\) (the same length as the plaintext) and an authentication tag \(T_{}\).

The plaintext is encrypted using AES in counter mode, under key \(k_{}\) with counter value starting at \(\mathsf {CTR}_{1}\). If the \(\mathsf {IV}\) is 96 bits long the initial counter value (\(\mathsf {CTR}_{0}\)) is \(\mathsf {IV}||0^{31}1\), otherwise it is a polynomial evaluation based hash of \(\mathsf {IV}\) after zero padding (using the hash key described below). For each \(i\), \(\mathsf {CTR}_{i} = \mathsf {inc}(\mathsf {CTR}_{i-1})\), where \(\mathsf {inc}(\cdot )\) increments the last 32 bits of its argument (modulo \(2^{32}\)).

The authentication tag is computed from a polynomial evaluation hash (in \(\mathbb {F}_{2^{128}}\)). The message \(M_{}\) is parsed as \(128\)-bit blocks (with partial final blocks zero padded) and each block is interpreted as an element of \(\mathbb {F}_{2^{128}}\). The first block \(M_{1}\) encodes the length of the (unpadded) plaintext and additional data and will be referred to as the ‘length field’ throughout this paper. This is followed by blocks of additional data \({M_{}}_{2} {,} \dots {,} {M_{}}_{a+1} = {A_{}}_{a} {,} \dots {,} {A_{}}_{1}\) and then the encrypted plaintext \({M_{}}_{a+2} {,} \dots {,} {M_{}}_{a+p+1} = {C_{}}_{p} {,} \dots {,} {C_{}}_{1}\). Note that in this description the labelling of the blocks \(M_{i}\) are reversed from those given in the original GCM specification as this gives a neater description of the polynomial used in evaluating the hash function. The hash key \(H_{}\) is derived from the block cipher key: \(H_{}= E_{k_{}}(0^{128})\). The hash function is then computed as \(h_{H_{}}(M_{}) = \sum _{i=1}^{a+p+1} {M_{i}H_{}^i}\) (where all operations are in \(\mathbb {F}_{2^{128}}\)). The authentication tag is given by:

$$\begin{aligned} T_{M_{}} = {E_{}}_{k}(\mathsf {CTR}_{0}) \oplus h_{H_{}}(M_{}). \end{aligned}$$

3.2 Sophie Germain Counter Mode

In 2012, Saarinen [29] observed cycling attacks against GCM and other polynomial MACs and hashes. Following this Saarinen proposed SGCM [30] as a variant of GCM; SGCM differs from GCM only by the choice of field in which the hash is computed. SGCM uses \(\mathbb {F}_{q}\), where \(q=2^{128}+12451\), rather than \(\mathbb {F}_{2^{128}}\), as \(\mathbb {F}_{q}^\star \) has significantly fewer subgroups than \(\mathbb {F}_{2^{128}}^\star \). It was claimed that SGCM offers increased resistance to cycling attacks as a result of this change.

3.3 Poly1305–AES

Bernstein proposed Poly1305–AES in 2005 [2]Footnote 1. Poly1305–AES takes as input two 128-bit keys, one for AES and one for the hash (with some specific bits set to zero); a 128 bit nonce; and a message (a byte string). The output of Poly1305–AES is a 128-bit authentication tag.

The hash of a message is computed by evaluating a message-dependant polynomial at the secret key (in \(\mathbb {F}_{2^{130}-5}\)), and encrypting this by adding (in \(\mathbb {F}_{2^{130}-5}\)) the output of \(\mathsf {AES}_k(N)\) before reducing modulo \(2^{128}\).

4 Algebraic Structure of Polynomial-Based Authentication Schemes

Let \(\mathcal {H}\) be a family of hash functions \(\mathcal {H}= \left\{ h_{H_{}}: \{0,1\}^\star \rightarrow \{0,1\}^{n}\mid H_{}\in \mathcal {K}_{\mathcal {H}} \right\} \) based on polynomial evaluation and let \(M_{}\) be an input string. Let \(h_{H_{}}(M_{}) = g_{M_{}}(H_{})\), where \(g_{M_{}}(x)= \sum _{i=1}^m{M_{i} x^i} \in \mathbb {K}[x]\) and \(H_{}\in \mathbb {K}\). Now let \(q_{}(x) = \sum _{i=1}^r q_ix^i \in \mathbb {K}[x]\) be a polynomial with constant term zero, such that \(q_{}(H_{}) = 0\). Then it follows that

$$\begin{aligned} h_{H_{}}(M_{}) = g_{M_{}}(H_{}) = g_{M_{}}(H_{}) + q_{}(H_{}) = g_{M_{}+ Q}(H_{}) = h_{H_{}}(M_{}+ Q), \end{aligned}$$

where \(Q = q_1 || q_2 || \ldots || q_r\) and the addition \(M+Q\) is done block-wise (the shorter is zero-padded if required). Thus given a polynomial \(q(x)\) satisfying these properties, it is straightforward to construct collisions for the hash function. It is trivial to see that one can use any polynomial \(q(x) \in \langle x^2 - Hx \rangle \subseteq \mathbb {K}[x]\).

Collisions in the hash function correspond to MAC forgeries by substituting the original message for the one that yields a collision in the hash function. These forgeries arise from collisions in the hash function and hence the messages can be substituted without any dependence on the method or key used to encrypt the output of the hash function. This method allows an adversary to create forgeries when he has seen a tuple of (nonce, message, tag) by only modifying the message.

It should be noted that the polynomial defined by the message will always have a zero constant term and therefore the polynomial \(q(x)\) that is used to forge will always have \(x\) as a factor. If this term were non-zero and the hash of a message was encrypted additively (i.e. \(T_{}= E_{k_{}}(N_{}) + h_{H_{}}(M_{})\)), it would be possible to flip bits in the first message block and flip the same bits in the authentication tag to create a valid forgery. This is the major difference between Shoup’s Cryptographic CRC [32] and Rabin’s fingerprinting codes [27].

The main observation of this paper is that by working with polynomials in the ideal \(\langle x^2 - Hx \rangle \), it is straightforward to produce forgeries for polynomial evaluation based authentication schemes. In [29], Saarinen proposed cycling attacks by working with particular polynomials, namely \(x^n - x\) (for more detail, see Sect. 5.4). The forgery is successful if \((x-H) | (x^n - x\)) and therefore if \(x^n - x \in \langle x^2 - Hx \rangle \). However, the forgery will be successful if any polynomial in this ideal is used to mount a similar attack. Furthermore, use of these polynomials also makes it possible to test for membership of large subsets of the keyspace with a single valid (message, tag) pair and a single verification query (see Sect. 6).

4.1 Malleability

In [29], Saarinen also describes ‘targeted bit forgeries’ against GCM where, rather than swapping the full blocks \(M_{i}\) and \(M_{i+jt}\), corresponding bits in each ciphertext block are flipped. This can also be described by the more general attack, by using a multiple of \(q_{}(x)\).

If \(q_{}(H_{}) = 0\), then \(\alpha \cdot q_{}(H_{}) = 0\) for any \(\alpha \in \mathbb {K}\) and

$$\begin{aligned} T_{M_{}}&= E_{k_{}}(N_{}) + h_{H_{}}(M_{}) \\&= E_{k_{}}(N_{}) + M_{1} \cdot H_{}+ \dots + M_{m} \cdot H_{}^m\\&= E_{k_{}}(N_{}) + (M_{1} + \alpha q_{1}) \cdot H_{}+ \dots + (M_{m} + \alpha q_{m}) \cdot H_{}^m\\&= T_{M_{}+ \alpha Q} \end{aligned}$$

where \(T_{M_{}+ \alpha Q}\) is the authentication tag for the message \(M_{1} \oplus \alpha \cdot q_{1}|| \dots || M_{m} \oplus \alpha \cdot q_{m} \) (recall that \(M_{}\) contains the associated data, encrypted plaintext and the length of both).

If the plaintext is encrypted using a stream cipher (or a block cipher in counter mode) flipping bits in the ciphertext causes the same bits in the paintext to be flipped. This allows us to predict relations between the original plaintext and the forged plaintext (as \(C_{i} \oplus \alpha q_{i}\) decrypts to \(P_{i} \oplus \alpha q_{i}\)). Because \(\alpha \) can be chosen so as to set \(C_{i} \oplus \alpha q_{i}\) equal to any value chosen by the adversary (for a single \(i\)), an adversary can choose a differential (in a single block) between the original message and the forged message.

If further control over the underlying plaintext in required, several forgery polynomials could be used. In the best case, using \(t\) polynomials permits the adversary control over \(t\) message blocks. The cost of this extra malleability is that the forgery is only successful if the authentication key is a root of the greatest common divisor of the two polynomials. This can be extended to give as much control over the plaintext as required, but for every extra malleable block the success probability is reduced by at least \(\frac{1}{|\mathcal {K}_{\mathcal {H}}|}\).

If the plaintext were encrypted using a block cipher (not in counter mode) then an adversary would not have this fine control over the plaintext, but would still be able to manipulate the ciphertext in this way.

This property also permits an adversary to create as many forgeries as there are non-zero elements in the field (see [7, 25] for further discussion of multiple forgeries).

4.2 Length Extension

In the GCM specification, the last block input to the hash function (corresponding to the term \(M_1 \cdot H\) in the MAC calculation) describes the length of the plaintext and additional data. The more general attack described in this paper allows an adversary to manipulate the length field (even though it does not explicitly appear in the sent message). If an adversary is given a valid tag for a message then the content of the length field is known, as it correctly encodes the length of the plaintext and additional data. It is therefore possible to choose a differential in the length field so that it corresponds to the length of the new message. In particular, forgeries can be created using high degree polynomial \(q_{}(x)\) regardless of the size of the message in the initial (message, tag) pair.

This is an important remark as it removes one significant limitation on the effectiveness of cycling attacks against GCM [29], which is the length of the message necessary to launch an attack. For a cycling attack to be attempted, an adversary requires as many blocks of correctly authenticated data as there are elements in the subgroup with which he wishes to forge, in order to swap the first and last blocks. By manipulating the length field any forgery probability can be realised starting with a valid authentication tag on a single message block.

A common criticism of GCM is that the maximum message length may be restrictive in the future as data rates increase [15]. However, it follows from our work (and the original security proofs [24]) that increasing the maximum permissible length would significantly decrease the security of the scheme.

4.3 Key Recovery

Saarinen suggests that once a weak key has been identified (by a successful cycling attack), the adversary would create many forgeries by further cycling attacks [29, Sect. 9]. Translating this to the more general polynomial root description: once a successful forgery occurs, the authentication key is known to be one of the roots of the ‘forgery polynomial’ \(q_{}\). Therefore rather than making repeated ‘cycling forgeries’ with guaranteed success but limited control of the plaintext, the adversary can aim to recover the authentication key and forge authentication tags for arbitrary messages. By attempting to forge using a subset of the roots of the forgery polynomial (and reducing the number of roots in the subset after each successful attempt), an adversary can gradually recover the authentication key using a method that is independent of encryption method or key used. This would give a forgery probability less than 1 at each stage, however the adversary can choose a trade-off between the forgery probability and the speed of recovering the authentication key. This is analogous to the key recovery attack described by Handschuh and Preneel [16] (where the subsets are chosen to realise a binary search of the keyspace). Note that in the case of GCM, recovery of the hash key \(H\) does not lead to the recovery of the encryption key \(k_{}\) as \(H = E_{k_{}}(0)\).

4.4 Choosing Polynomials

To maximise the probability of a successful forgery it is important that the polynomial used to attempt a forgery has many distinct roots, as a root with multiplicities increases the degree of the polynomial (and hence the length of the attempted forgery) without increasing the probability of success. The naïve way to achieve this is to compute \(q_{}(x) = \prod _{i}{(x-H_{i})}\) for as many \(H_{i}\) as is required to give the desired forgery probability.

Alternatively, if the polynomial defined by the hash function is evaluated in \(\mathbb {F}_{p^r}\) and the irreducible factorisation of \(x^{p^r}-x\) is computed in a subfield \(\mathbb {F}_{p^d}\), a subset of these factors can be multiplied together (in \(\mathbb {F}_{p^d}\)). By choosing distinct irreducible factors, the roots of the product polynomial will be distinct. Cycling attacks [29] employ a variation on this method. The factorisation

$$\begin{aligned} 2^{2^n}-1 = \prod _{i=1}^n{2^{2^{i-1}} + 1} \end{aligned}$$

allows Saarinen to find factors of \(x^{2^{128}} - x\) in \(\mathbb {F}_{2}[x]\) which can be used in a cycling attack (although they are not necessarily irreducible):

$$\begin{aligned} x^{2^{128}} - x&= x(x-1)\frac{(x^3 - 1)}{x-1} \frac{(x^5 - 1)}{x-1} \frac{(x^{17} - 1)}{x-1} \cdots \\&= x(x-1)(1+x+x^2)(1+x+\dots +x^4)(1+x+\dots +x^{16})\dots \end{aligned}$$

To carry out a cycling attack using a subgroup of order \(t\), the factors \(x\), \((x-1)\) and \(\frac{(x^{t} - 1)}{x-1}\) are multiplied together to obtain the polynomial \(x^{t+1} - x\). In general there is no requirement to select \((x-1)\) or to use only three factors, for example the polynomial \(x(1+x+x^2)(1+x+\dots x^{16})\) could be used to give a forgery probability of \(\frac{19}{2^{128}}\). This is not a cycling attack, as the polynomial used contains more than two terms so the forgery does not involve simply swapping two message blocks, but it does rely on the same underlying algebraic structure.

A third option is to use a randomly selected polynomial in \(\mathbb {F}_{p^r}[x]\). One potential issue with this method is the presence of repeated factors. Square-free factorisation has been extensively studied as it is a common first step in many polynomial factorisation algorithms (for example, see [37, Ch. 14]). It may be feasible to sample polynomials from \(\mathbb {F}_{p^r}[x]\) randomly and process this polynomial to make it more desirable by removing repeated factors. This method does not appear promising due to the large number of irreducible polynomials of any given degree in \(\mathbb {F}_{p^r}[x]\) and the observation that a degree \(d\) polynomial that consists of a single linear factor and an irreducible polynomial of degree \(d-1\) is almost as bad as a degree \(d\) irreducible polynomial from a forgery probability perspective. Irreducible polynomials in \(\mathbb {F}_{p}\) that are known to have a root in \(\mathbb {F}_{p^r}\) would be good candidates for attempting forgeries as the normality of \(\mathbb {F}_{p^r}/\mathbb {F}_{p}\) guarantees that these polynomials will split into linear factors. Unfortunately this does not appear to be a well studied area. A further disadvantage of choosing random polynomials is that, although the roots of a polynomial in \(\mathbb {K}[x]\) can be identified efficiently (see [1] for example), it would be unlikely that a non-intersecting subset of the keyspace would be used for a second forgery attempt if the first was unsuccessful.

5 Existing Attacks Against GCM

We show below that the four known attacks on GCM can be described as special cases of the properties discussed in Sect. 4.

5.1 Ferguson’s Short Tag Attack

Ferguson’s attack against GCM when short tags are used [15] begins by attempting to forge using a particular class of polynomials (linearised polynomials). Linearised polynomials have the property that their roots form a linear subspace of the splitting field of the polynomial (see [23, Chap. 3.4] for an overview). Ferguson uses polynomials in \(\mathbb {F}_{2}[x]\) that split over \(\mathbb {F}_{2^{128}}\), so the roots correspond to possible authentication keys and it is possible to describe the roots of a linearised polynomial using a matrix over \(\mathbb {F}_{2}\). Multiple successful forgeries reduce the dimension of the subspace of the keyspace that contains the authentication key and eventually an adversary can recover the key.

5.2 Joux’s Forbidden Attack

Joux’s ‘forbidden attack’ against GCM [19] is also a specific case of the properties discussed in this paper. This attack requires two messages, \(M_{}\) and \(M_{}^\prime \), that are authenticated with the same (key, IV) pair. Reusing the (key, IV) pair in GCM has the effect of reusing \(H_{}\), \(k_{}\) and \(N_{}\):

$$\begin{aligned} T_{M_{}} \oplus T_{M_{}^\prime }&= (h_{H_{}}(M_{}) \oplus f_{k_{}}(N_{})) \oplus (h_{H_{}}(M_{}^\prime ) \oplus f_{k_{}}(N_{})) \\&= h_{H_{}}(M_{}) \oplus h_{H_{}}(M_{}^\prime ) \\&= h_{H_{}}(M_{}\oplus M_{}^\prime ) \end{aligned}$$

The adversary knows \(T_{M_{}}\), \(T_{M_{}^\prime }\) and both messages so is able to derive a polynomial that is satisfied by the hash key. This attack is prevented if we only consider nonce-respecting adversaries.

5.3 Handschuh and Preneel

Handschuh and Preneel [16] describe a key recovery attack and a method to verify a guess for a key. They identify the key recovery attack as an extension of Joux’s ‘forbidden attack’ which does not require nonce reuse. It consists of attempting to create a forgery and then searching through the roots of the polynomial defined by the difference betweeen the original message and the forged message. This was initially identified by Black and Cochran [6], but extended and generalised by Handschuh and Preneel. The method for verifying a key guess \(H_{}\) corresponds precisely with attemping to forge using the polynomial \((x^2-H_{}x)\).

Handschuh and Preneel consider their attack to be infeasible for GCM due to the blocksize of 128 bits, however it is precisely as feasible as Saarinen’s cycling attacks.

5.4 Saarinen’s Cycling Attacks

In 2012, Saarinen observed cycling attacks against GCM and other polynomial-based MACs and hashes [29]. If a hash key \(H_{}\) lies in a subgroup of order \(t\), then \(H_{}^t= 1 \in \mathbb {K}\) and (for any \(i,j\)) message blocks \(M_{i}\) and \(M_{i+jt}\) can be swapped without changing the value of the hash.

For example (ignoring GCM’s length encoding), if \(H_{}^4 = H_{}\) then blocks \(M_{1}\) and \(M_{4}\) can be swapped without changing the value of the hash:

$$\begin{aligned} h_{H_{}}(M_{1}||M_{2}||M_{3}||M_{4})&= M_{1}\cdot H_{}\oplus M_{2} \cdot H_{}^2 \oplus M_{3} \cdot H_{}^3 \oplus M_{4} \cdot H_{}^4 \\&= M_{4}\cdot H_{}\oplus M_{2} \cdot H_{}^2 \oplus M_{3} \cdot H_{}^3 \oplus M_{1} \cdot H_{}^4 \\&= h_{H_{}}(M_{4}||M_{2}||M_{3}||M_{1}). \end{aligned}$$

It is more natural and general to consider the authentication keys that fall in low order subgroups as roots of a low degree polynomial. Cycling attacks correspond to the general attack introduced in this paper, using the polynomial

$$\begin{aligned} q_{}(x) = (M_{i} - M_{i+jt})(x^{t+1} - x), \end{aligned}$$

noting that in fields of characteristic 2 subtraction is the same as \(\oplus \).

$$\begin{aligned} h_{H_{}}(M_{1}||M_{2}||M_{3}||M_{4}) =&M_{1} \cdot H_{}\oplus M_{2} \cdot H_{}^2 \oplus M_{3} \cdot H_{}^3 \oplus M_{4} \cdot H_{}^4 \\ =&M_{1} \cdot H_{}\oplus M_{2} \cdot H_{}^2 \oplus M_{3} \cdot H_{}^3 \oplus M_{4} \cdot H_{}^4 \\&\oplus (M_{1} \oplus M_{4}) \cdot H_{}\oplus (M_{1} \oplus M_{4}) \cdot H_{}^4 \\ =&M_{4} \cdot H_{}\oplus M_{2} \cdot H_{}^2 \oplus M_{3} \cdot H_{}^3 \oplus M_{1} \cdot H_{}\\ =&h_{H_{}}(M_{4}||M_{2}|| M_{3}||M_{1}) \end{aligned}$$

Using the more general ‘polynomial roots’ description it is possible to forge using any subset of the keyspace. If the authentication keys that we wish to attempt to forge with are the elements of a low order subgroup, for example the order three subgroup of \(\mathbb {F}_{2^{128}}^\star \) (identified by Saarinen [29, Sect. 4.1]) plus the all zero key:

$$\begin{aligned}&H_{0} = {\mathtt {00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00}} \\&H_{1} = {\mathtt {80~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00~~00}} \\&H_{2} = {\mathtt {10~~D0~~4D~~25~~F9~~35~~56~~E6~~9F~~58~~CE~~2F~~8D~~03~~5A~~94}} \\&H_{3} = {\mathtt {90~~D0~~4D~~25~~F9~~35~~56~~E6~~9F~~58~~CE~~2F~~8D~~03~~5A~~94}} \end{aligned}$$

then the polynomial that is created corresponds precisely to Saarinen’s cycling attack. In this case \((x-H_{0})(x-H_{1})(x-H_{2})(x-H_{3}) = x^4 - x\).

6 Weak Keys for Polynomial-Based Authentication Schemes

For any cryptographic algorithm, a relevant question for its security assessment is whether it contains weak keys. Handschuh and Preneel [16, Sect. 3.1] give the following definition of weak keys:

In symmetric cryptology, a class of keys [\(\mathcal {D}\)] is called a weak key class if for the members of that class the algorithm behaves in an unexpected way and if it is easy to detect whether a particular unknown key belongs to this class. For a MAC algorithm, the unexpected behavior can be that the forgery probability for this key is substantially larger than average. Moreover, if a weak key class [\(\mathcal {D}\)] is of size \(C\), one requires that identifying that a key belongs to this class requires testing fewer than \(C\) keys by exhaustive search and fewer than \(C\) verification queries.

Handschuh and Preneel [16] identify \(0\) as a weak authentication key for GCM and other similar constructions as \(h_{0}(M_{}) = 0\) for every message \(M_{}\). Following the definition above and because \(|\mathcal {D}| = 1\), an adversary is not allowed to test any key by exhaustive search, nor are they allowed any verification queries. For a single element subset of the keyspace \(\mathcal {D}= \{H_{}^\star \}\) to be a weak key class, a nonce-respecting adversary has to be able to identify whether or not \(H_{}= H_{}^\star \) when they are given a number of (message, tag) pairs of their choosing (each created using a different \(\mathsf {IV}\)). We note that a nonce-respecting adversary can detect whether \(\mathcal {D}= \{0\}\) if \(|\mathsf {IV}| \ne 96\): in this case all \(\mathsf {IV}\)s hash to give the same initial counter value and \(h_{0}(M_{}) = 0\) for every message \(M_{}\) so all messages have the same authentication tag (as identified in [24, Sect. 5]). If \(|\mathsf {IV}| = 96\) a different initial counter value is used to encrypt the output of the hash function and so although the output of the hash function does not change this cannot be detected given the output of the MAC algorithm.

Saarinen [29] demonstrated that the situation is much worse than described by Handschuh and Preneel, as he was able to find classes of weak keys where the authentication key falls in a low order subgroup of \(\mathbb {K}^\star \). It is then possible to create a valid forgery by swapping two message blocks of a valid (message, tag) pair without changing the authentication tag if the authentication key lies in a subgroup with order dividing the distance between the swapped message blocks.

This forgery will be successful if and only if the key is an element of such a subgroup and therefore this provides a simple method for identifying weak keys which requires one valid (message, tag) pair and one verification query. These classes of weak keys therefore meet Handschuh and Preneel’s definition of weak keys.

For example, the subset of authentication keys corresponding zero and the elements of the subgroup of order 3 in \(\mathbb {F}_{2^{128}}\) is a weak key class. Membership of this subset can be confirmed by a successful forgery if \(M_{i}\) and \(M_{j}\) are swapped and \(i \equiv j \mod 3\). This is equivalent to attempting a forgery using (a multiple of) the polynomial \(x^4 - x\).

However, it follows from the discussion in Sect. 4 that it is possible to derive comparable statements for any set of authentication keys in \(\mathbb {F}_{2^{128}}\), except that rather than ‘nice’ binary descriptions, the polynomial description will involve elements of \(\mathbb {F}_{2^{128}}\). In particular, for any set of authentication keys \(\mathcal {D}\) we can use any polynomial in the ideal \(\prod _{H_{}\in \mathcal {D}} \langle x^2 - H_{}x \rangle \) to test for membership of that subset of the keyspace. It follows that almost every subset of the GCM keyspace is weak. We discuss this issue further in Sects. 6.1 and 7.

6.1 Keyspace Search

Based on the properties discussed in Sect. 4 it is possible to test for membership of any subset of the keyspace using at most two verification queries. Membership of subsets that include the zero key can be tested by setting \(q_{}(x) = \prod _{H_{}\in \mathcal {D}}{(x-H_{})}\). This therefore requires one verification query, independent of the size of \(\mathcal {D}\). To test for membership of a subset \(\mathcal {D}\) that does not include zero, first test whether \(H_{}\in \mathcal {D}\cup \{0\}\) and then rule out \(H_{}= 0\) using the method described below. This therefore requires two verification queries, but again is independent of the size of \(\mathcal {D}\). The distinction between subsets including zero or not including zero is a consequence of the constant term of \(g_{M_{}}(x)\) being zero to avoid predictable changes in the output of the hash from flipping low order bits.

Therefore, using Handschuh and Preneel’s definition, a set \(\mathcal {D}\) of GCM authentication keys is a weak key class if either: \(|\mathcal {D}| \ge 3\) or \(|\mathcal {D}| \ge 2\) and \(0 \in \mathcal {D}\).

Given one valid (message, tag) pair for a single block message and one verification query it is easy to determine whether or not \(H_{}= 0\). If the adversary attempts to forge using any other single block message and the same tag, then the forgery is successful if and only if \(H_{}= 0\) as seen below.

If no length encoding is used:

$$\begin{aligned} T_{}&= E_{}(\mathsf {CTR}_{0}) + (M_{}\cdot H_{}) \\&= E_{}(\mathsf {CTR}_{0}) + (M_{}^\prime \cdot H_{}) \\&\Leftrightarrow (M_{}- M_{}^\prime )\cdot H_{}= 0 \\&\Leftrightarrow M_{}= M_{}^\prime ~\text {or}~H_{}= 0 \end{aligned}$$

If a GCM style length encoding is used:

$$\begin{aligned} T_{}&= E_{}(\mathsf {CTR}_{0}) + (\text {length} \cdot H_{}) + (M_{}\cdot H_{}^2) \\&= E_{}(\mathsf {CTR}_{0}) + (\text {length} \cdot H_{}) + (M_{}^\prime \cdot H_{}^2) \\&\Leftrightarrow (M_{}- M_{}^\prime )\cdot H_{}^2 = 0 \\&\Leftrightarrow M_{}= M_{}^\prime ~\text {or}~H_{}= 0 \end{aligned}$$

By testing for membership of subsets of the keyspace, it is plausible that an adversary could recover one bit of the authentication key with each forgery attempt. If \(q_{}(x) = \prod _{H_{}\in \mathcal {Y}}{(x - H_{})}\), where \(\mathcal {Y}\) is the set of authentication keys for which the first bit is zero, then a successful forgery confirms that the first bit of the authentication key is zero and a failure confirms that the first bit is one. Repeating this for each bit of the authentication key, the whole key could be recovered using 128 verification queries.

This would require unfeasibly large messages to be used in the forgery attempts in the case of authentication keys corresponding to elements of a field with \(|\mathbb {K}| \approx 2^{128}\), but it is a strong argument against using a hash function based on polynomial evaluation in a field with \(|\mathbb {K}| \ll 2^{128}\). This may be a direction taken by variants of GCM designed to improve the performance of GCM (see [40] for one such example), however we recommend extreme caution when considering these modifications. In the case of GCM the size of the subsets that can be tested is limited to around \(2^{56}\) as the maximum message length is limited.

One advantage of being able to test for membership of arbitrary subsets is that it allows the adversary to use any partial knowledge of the authentication key that they may have.

7 Discussions and Conclusions

7.1 Choice of Fields

It is true that the security against cycling attacks, as presented in [29], can be increased by evaluating a hash function in a field with a multiplicative group, the order of which does not have many factors. However the attack introduced in this paper (of which cycling attacks is a special case) applies equally well in any finite field, so Saarinen’s claim that ‘The security of polynomial-evaluation MACs against attacks of this type of attack can be determined from the factorization of the group size in a straightforward manner’ [29, Sect. 8] is somewhat misleading.

Saarinen’s claim is valid in the sense that the factorisation of \(|\mathbb {K}| - 1\) determines the extent to which the process of computing irreducible factors will succeed; however an attack using \(\prod _{H_{}\in \mathcal {D}}{(x - H_{})}\) will work equally well in every field. In particular, it follows from our work that the SGCM variant of GCM has the same inherent weaknesses regarding polynomial based forgery attacks.

7.2 Length Extension

It is unfortunate that including the length of the additional authenticated data and plaintext in the input to the hash function is not sufficient to prevent the length extension attack presented in this paper. In schemes that use a GCM–like length encoding, if the value of the length field were encrypted using a block cipher before being input to the hash function, it would not be possible to alter the message length as described in Sect. 4. However, one of the design goals of GCM was to take advantage of AES pipelining, which precludes the use of the block cipher to compute the authentication tag.

7.3 Malleability

Part of the reason that this weakness in the algebraic structure of polynomial hashing is problematic for GCM is that it allows an adversary to choose the changes that are made to the plaintext in a forged message. This is because addition in a field of characteristic 2 is used for both the counter mode encryption and the hash function evaluation.

One way to avoid this issue is to use different operations during encryption and MAC generation. This is one significant advantage that (CTR & Poly1305–AES) [2] has over GCM, as in this scheme the MAC is computed using addition in a prime order field while the message is encrypted using addition in a field of characteristic 2.

An alternative method to increase the difficulty for an adversary attempting to make meaningful manipulations of plaintext is to use a mode of operation other than CTR as this will prevent the ‘targeted bit forgeries’ described by Saarinen [29, Sect. 6] and the analogous forgeries in this paper.

GCM roughly follows the Encrypt–then–MAC paradigm, as is generally perceived to be best practice (although MAC–then–Encrypt has also been proved secure in the nonce-based AEAD setting [28]). Despite going against the perceived best practice, using a MAC–then–Encrypt approach (in addition to the proposed changes described above) would make it harder for an adversary to create ciphertexts that correctly decrypt to a plaintext known to be related to a (plaintext,ciphertext) pair obtained from a query. We note however that the introduction of other weaknesses caused by making these changes has not been ruled out.

7.4 Weak Keys

The weak key classes that are identified in Sect. 6 cause the forgery probability to be higher than expected because an adversary can detect whether the authentication key that is being used is a member of that class and can then forge with probability one.

The broader issue with polynomial evaluation based hashes is that it is possible to test for membership of large subsets of the keyspace with only one or two verification queries and once an adversary has successfully confirmed membership of a subset he can either continue to forge messages or conduct a search of a much reduced keyspace. This is an unusual and undesirable property of a cryptosystem.

It is interesting that the two-element subsets of the keyspace containing zero are weak key classes, while those that do not contain zero are not, yet any subset of the keyspace containing at least three elements is weak. This perhaps suggests a problem with the definition of a weak key class. In our opinion the definition is correct and the observations made in this paper are unavoidable properties of hash functions based on polynomial evaluation that result from the algebraic structure of the construction, so are not best described in terms of the number of weak keys.

The most important discussion around this issue is whether an algorithm in which almost every subset of the keyspace is a weak key class is a weak algorithm or whether this is a property of the construction that, although highly undesirable, is not considered to reduce the security of the scheme to an unacceptable level. We suggest that in the case of GCM it is the latter; in other polynomial-based MAC schemes with different parameters it may be the former and this property must be considered when designing and evaluating schemes.