Abstract
Polynomial hashing as an instantiation of universal hashing is a widely employed method for the construction of MACs and authenticated encryption (AE) schemes, the ubiquitous GCM being a prominent example. It is also used in recent AE proposals within the CAESAR competition which aim at providing nonce misuse resistance, such as POET. The algebraic structure of polynomial hashing has given rise to security concerns: At CRYPTO 2008, Handschuh and Preneel describe key recovery attacks, and at FSE 2013, Procter and Cid provide a comprehensive framework for forgery attacks. Both approaches rely heavily on the ability to construct forgery polynomials having disjoint sets of roots, with many roots (“weak keys”) each. Constructing such polynomials beyond naïve approaches is crucial for these attacks, but still an open problem.
In this paper, we comprehensively address this issue. We propose to use twisted polynomials from Ore rings as forgery polynomials. We show how to construct sparse forgery polynomials with full control over the sets of roots. We also achieve complete and explicit disjoint coverage of the key space by these polynomials. We furthermore leverage this new construction in an improved key recovery algorithm.
As cryptanalytic applications of our twisted polynomials, we develop the first universal forgery attacks on GCM in the weak-key model that do not require nonce reuse. Moreover, we present universal weak-key forgeries for the nonce-misuse resistant AE scheme POET, which is a CAESAR candidate.
Due to page limitations, several details are omitted in this proceedings version. A full version is available at [2].
Chapter PDF
Similar content being viewed by others
Keywords
References
CAESAR: Competition for Authenticated Encryption: Security, Applicability, and Robustness, March 2014. http://competitions.cr.yp.to/caesar.html
Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E.: Twisted Polynomials and Forgery Attacks on GCM. IACR ePrint Archive (2015)
Abed, F., Fluhrer, S., Foley, J., Forler, C., List, E., Lucks, S., McGrew, D., Wenzel, J.: The POET Family of On-Line Authenticated Encryption Schemes. Submission to the CAESAR competition, March 2014
Andreeva, E., Luykx, A., Mennink, B., Yasuda, K.: COBRA: a parallelizable authenticated online cipher without block cipher inverse. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption, FSE 2014. LNCS, p. 24. Springer (2014) (to appear)
Bahack, L.: Julius: Secure Mode of Operation for Authenticated Encryption Based on ECB and Finite Field Multiplications. Submission to the CAESAR competition, March 2014. http://competitions.cr.yp.to/round1/juliusv10.pdf
Doworkin, M.: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC, November 2007. http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Ferguson, N.: Authentication weaknesses in GCM. Comments submitted to NIST Modes of Operation Process (2005)
Goss, D.: Basic structures of function field arithmetic. Ergebnisse der Mathematik und ihrer Grenzgebiete (3) [Results in Mathematics and Related Areas (3)], vol. 35. Springer, Berlin (1996)
Guo, J., Jean, J., Peyrin, T., Lei, W.: Breaking POET Authentication with a Single Query. Cryptology ePrint Archive, Report 2014/197 (2014) http://eprint.iacr.org/
Handschuh, H., Preneel, B.: Key-recovery attacks on universal hash function based MAC algorithms. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 144–161. Springer, Heidelberg (2008)
Joux, A.: Authentication Failures in NIST version of GCM. Comments submitted to NIST Modes of Operation Process (2006)
McGrew, D., Fluhrer, S., Lucks, S., Forler, C., Wenzel, J., Abed, F., List, E.: Pipelineable on-line encryption. In: Cid, C., Rechberger, C. (eds.) Fast Software Encryption, FSE 2014. LNCS, p. 24. Springer (2014) (to appear)
McGrew, D., Viega, J.: The galois/counter mode of operation (gcm). Submission to NIST (2004). http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/gcm/gcm-spec.pdf
Nandi, M.: Forging attacks on two authenticated encryptions cobra and poet. Cryptology ePrint Archive, Report 2014/363 (2014). https://eprint.iacr.org/2014/363
Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based MAC schemes. In: Moriai, S. (ed.) FSE 2013. LNCS, vol. 8424, pp. 287–304. Springer, Heidelberg (2014)
Procter, G., Cid, C.: On weak keys and forgery attacks against polynomial-based mac schemes. Cryptology ePrint Archive, Report 2013/144 (2013). http://eprint.iacr.org/
OpenSSL Project. https://www.openssl.org/
OpenSSL Project. GCM Implementation: crypto/modes/gcm128.c. https://www.openssl.org/source/ (latest release: April 7, 2014) (openssl-1.0.1g)
Rogaway, P.: Evaluation of some blockcipher modes of operation. Evaluation carried out for the Cryptography Research and Evaluation Committees (CRYPTREC) for the Government of Japan (2011)
Saarinen, M.-J.O.: Cycling attacks on GCM, GHASH and other polynomial MACs and hashes. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 216–225. Springer, Heidelberg (2012)
Wegman, M.N., Carter, J.L.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22(3), 265–279 (1981)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 International Association for Cryptologic Research
About this paper
Cite this paper
Abdelraheem, M.A., Beelen, P., Bogdanov, A., Tischhauser, E. (2015). Twisted Polynomials and Forgery Attacks on GCM. In: Oswald, E., Fischlin, M. (eds) Advances in Cryptology -- EUROCRYPT 2015. EUROCRYPT 2015. Lecture Notes in Computer Science(), vol 9056. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-46800-5_29
Download citation
DOI: https://doi.org/10.1007/978-3-662-46800-5_29
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-46799-2
Online ISBN: 978-3-662-46800-5
eBook Packages: Computer ScienceComputer Science (R0)