nach oben

Journal of Cryptology

Erschienen in:

01.10.2015

On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes

verfasst von: Gordon Procter, Carlos Cid

Erschienen in: Journal of Cryptology | Ausgabe 4/2015

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Universal hash functions are commonly used primitives for fast and secure message authentication in the form of message authentication codes or authenticated encryption with associated data schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega’s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen’s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. We also greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class. Finally, we demonstrate that these algebraic properties and the corresponding attacks are highly relevant to GCM/\(2^+\), a variant of GCM designed to increase the efficiency in software.

Vorheriger Artikel Almost-Everywhere Secure Computation with Edge Corruptions

Nächster Artikel Spreading Alerts Quietly and the Subgroup Escape Problem

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

There is a preliminary version from 2004 on his website: http://cr.yp.to/mac.html.

K. Aoki, K. Yasuda, The security and performance of “GCM” when short multiplications are used instead, in M. Kutyłowski, M. Yung (eds), Information Security and Cryptology. Lecture Notes in Computer Science, vol. 7763 (Springer, Berlin Heidelberg, 2013), pp. 225–245.

E. R. Berlekamp, Factoring polynomials over large finite fields. Newblock, Math. Comp. 24:713–735 (1970)

D. J. Bernstein, The Poly1305-AES message-authentication code. Slides from FSE, 2005. http://cr.yp.to/talks/2005.02.21-1/slides.pdf

D.J. Bernstein, Stronger security bounds for Wegman–Carter–Shoup authenticators, in R. Cramer (ed), Advances in Cryptology EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494 (Springer, Berlin Heidelberg, 2005) pp. 164–180

D.J. Bernstein, The Poly1305-AES message-authentication code, in H. Gilbert, Helena Handschuh (eds), Fast Software Encryption. Lecture Notes in Computer Science, vol. 3557 (Springer, Berlin Heidelberg, 2005), pp. 32–49

J. Bierbrauer, T. Johansson, G. Kabatianskii, B. Smeets, On families of hash functions via geometric codes and concatenation, in D.R. Stinson (ed), Advances in Cryptology CRYPTO’ 93. Lecture Notes in Computer Science, vol. 773 (Springer, Berlin Heidelberg, 1994) pp. 331–342

J. Black, S. Halevi, H. Krawczyk, T. Krovetz, P. Rogaway, UMAC: fast and secure message authentication, in M. Wiener (ed), Advances in Cryptology CRYPTO’ 99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin Heidelberg, 1999), pp. 216–233. Full version, available at http://www.cs.ucdavis.edu/rogaway/papers/umac

J. Black, M. Cochran, MAC reforgeability. Cryptology ePrint Archive, Report 2006/095, 2006

J. Black, M. Cochran, MAC reforgeability, in O. Dunkelman (ed), Fast Software Encryption. Lecture Notes in Computer Science, vol. 5665 (Springer, Berlin Heidelberg, 2009), pp. 345–362

10.

G. Brassard, On computationally secure authentication tags requiring short secret shared keys, in D. Chaum, R.L. Rivest, A.T. Sherman (eds), Advances in Cryptology, (Springer, US, 1983), pp. 79–86

11.

L. Carlitz, The arithmetic of polynomials in a Galois field. Proc. Natl. Acad. Sci. 17(2), 120–122 (1931)

12.

J. Lawrence Carter, M.N. Wegman, Universal classes of hash functions (extended abstract), in Proceedings of the Ninth Annual ACM Symposium on Theory of Computing, STOC ’77, ACM, (New York, NY, USA, 1977), pp. 106–112

13.

J. Lawrence, Carter, M.N. Wegman, Universal classes of hash functions, J. Comput. Syst. Sci. 18(2), 143–154 (1979)

14.

B. den Boer, A simple and key-economical unconditional authentication scheme, J. Comput. Secur. 2:65–72 (1993)

15.

M. Dworkin Recommendation for block cipher modes of operation: Galois/counter mode (GCM) and GMAC. NIST Special Publication 800–38D, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf, Nov 2007

16.

M. Etzel, S. Patel, Z. Ramzan, Square hash: fast message authentication via optimized universal hash functions, in M. Wiener (ed), Advances in Cryptology CRYPTO’ 99. Lecture Notes in Computer Science, vol. 1666 (Springer, Berlin Heidelberg, 1999), pp. 234–251

17.

N. Ferguson. Authentication weaknesses in GCM. Comments submitted to NIST Modes of Operation Process, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf, 2005

18.

E. N. Gilbert, F. J. MacWilliams, N. J. A. Sloane, Codes which detect deception. Technical Report 3, Bell Sys. Tech. J., Mar 1974

19.

S. Halevi, H. Krawczyk, MMH: Software message authentication in the Gbit/second rates, in E. Biham (ed), Fast Software Encryption. Lecture Notes in Computer Science, vol. 1267 (Springer, Berlin Heidelberg, 1997), pp. 172–189

20.

H. Handschuh, B. Preneel, Key-recovery attacks on Universal hash function based MAC algorithms, in D. Wagner (ed), Advances in Cryptology CRYPTO 2008. Lecture Notes in Computer Science, vol. 5157 (Springer, Berlin Heidelberg, 2008), pp. 144–161

21.

K. Igoe, J. Solinas. AES Galois counter mode for the secure shell transport layer protocol. IETF Request for Comments 5647, http://tools.ietf.org/html/rfc5647, 2009

22.

T. Iwata, K. Ohashi, K. Minematsu, Breaking and repairing GCM security proofs, in R. Safavi-Naini, R. Canetti (eds), Advances in Cryptology CRYPTO 2012. Lecture Notes in Computer Science, vol. 7417 (Springer, Berlin Heidelberg, 2012), pp. 31–49

23.

A. Joux. Authentication failures in NIST version of GCM. Comments submitted to NIST Modes of Operation Process, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-38_Series-Drafts/GCM/Joux_comments.pdf, 2006

24.

T. Kohno, J. Viega, D. Whiting, CWC: a high-performance conventional authenticated encryption mode, in B. Roy, W. Meier (eds), Fast Software Encryption. Lecture Notes in Computer Science, vol. 3017 (Springer, Berlin Heidelberg, 2004), pp. 408–426

25.

H. Krawczyk, LFSR-based hashing and authentication, in Y.G. Desmedt (ed), Advances in Cryptology CRYPTO ’94. Lecture Notes in Computer Science, vol. 839 (Springer, Berlin Heidelberg, 1994), pp. 129–139

26.

L. Law, J. Solinas. Suite B Cryptographic Suites for IPsec. IETF Request for Comments 6379, http://tools.ietf.org/html/rfc6379, 2011

27.

R. Lidl, H. Niederreiter, Finite fields. Encylopedia of Mathematics and its Applications. vol. 20 Cambridge University Press, 2nd edition, 1997

28.

D.J.C. MacKay, S. Mahajan, Numbers that are sums of squares in several ways. http://www.cs.toronto.edu/~mackay/sumsquares.pdf, 2001

29.

D.A. McGrew, S.R. Fluhrer, Multiple forgery attacks against message authentication codes. Comments submitted to NIST on the Choice Between CWC or GCM, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/multi-forge-01.pdf, 2005

30.

D.A. McGrew, J. Viega, The Galois/counter mode of operation (GCM). Submission to NIST Modes of Operation Process, http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf, May 2005

31.

D.A. McGrew, J. Viega, The security and performance of the Galois/counter mode (GCM) of operation, in A. Canteaut, K. Viswanathan (eds), Progress in Cryptology INDOCRYPT 2004. Lecture Notes in Computer Science, vol. 3348 (Springer, Berlin Heidelberg, 2005), pp. 343–355

32.

D. Panario, What do random polynomials over finite fields look like? in G.L. Mullen, A. Poli, H. Stichtenoth (eds), Finite Fields and Applications. Lecture Notes in Computer Science, vol. 2948 (Springer, Berlin Heidelberg, 2004), pp. 89–108

33.

M. O. Rabin, Fingerprinting by random polynomials. Center for Research in Computing Technology, Harvard University, Technical, Report TR-15-81, 1981

34.

P. Rogaway, Authenticated-encryption with associated-data, in V. Atluri (ed), ACM Conference on Computer and Communications Security. (ACM, 2002), pp. 98–107

35.

M.-J. O. Saarinen, SGCM: The Sophie Germain Counter Mode. Cryptology ePrint Archive, Report 2011/326, 2011

36.

M.-J. O. Saarinen, Cycling attacks on GCM, GHASH and other polynomial MACs and hashes, in A. Canteaut (ed), Fast Software Encryption. Lecture Notes in Computer Science, vol. 7549 (Springer, Berlin Heidelberg, 2012), pp. 216–225

37.

M. Salter, R. Housley, Suite B profile for transport layer security (TLS). IETF Request for Comments 6460, http://tools.ietf.org/html/rfc6460, 2011

38.

V. Shoup, On fast and provably secure message authentication based on Universal hashing, in N. Koblitz (ed), Advances in Cryptology CRYPTO ’96. Lecture Notes in Computer Science, vol. 1109 (Springer, Berlin Heidelberg, 1996), pp. 313–328

39.

G. J. Simmons (ed). Contemporary cryptology: the science of information integrity. IEEE Press, 1992

40.

D. R. Stinson, On the connections between Universal hashing, combinatorial designs and error-correcting codes. Electronic Colloquium on Computational Complexity (ECCC), Report No ECCC TR95-052 (1995)

41.

D.R. Stinson, Universal hashing and authentication codes. Des.Codes Cryptogr. 4(3), 369–380 (1994)

42.

R. Taylor, Near optimal unconditionally secure authentication, in A. Santis (ed), Advances in Cryptology EUROCRYPT’94. Lecture Notes in Computer Science, vol. 950 (Springer, Berlin Heidelberg, 1995), pp. 244–253

43.

J. von zur Gathen, J. Gerhard. Modern computer algebra. Cambridge University Press, Cambridge, 2nd edition, 2003

44.

M.N. Wegman, J. Lawrence Carter, New classes and applications of hash functions, in 20th Annual Symposium on Foundations of Computer Science, pp. 175–182 1979

45.

M.N. Wegman, J. Lawrence Carter, New hash functions and their use in authentication and set equality. J. Comput. Syst. Sci. 22(3), 265–279 (1981)

46.

B. Zhu, Y. Tan, G. Gong, Revisiting MAC forgeries, weak keys and provable security of Galois/counter mode of operation, in M. Abdalla, C. Nita-Rotaru, R. Dahab (eds), Cryptology and Network Security. Lecture Notes in Computer Science, vol. 8257 (Springer International Publishing, 2013), pp. 20–38

Titel: On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes
verfasst von: Gordon Procter
Carlos Cid
Publikationsdatum: 01.10.2015
Verlag: Springer US
Erschienen in: Journal of Cryptology / Ausgabe 4/2015
Print ISSN: 0933-2790
Elektronische ISSN: 1432-1378
DOI: https://doi.org/10.1007/s00145-014-9178-9

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 4/2015

Using Fully Homomorphic Hybrid Encryption to Minimize Non-interative Zero-Knowledge Proofs

Almost-Everywhere Secure Computation with Edge Corruptions

Spreading Alerts Quietly and the Subgroup Escape Problem

New Proofs for NMAC and HMAC: Security without Collision Resistance

Collision Attack on Grindahl