universal forgery attack against gcm-rup › 2019 › 1359.pdf · universal forgery attack against...
TRANSCRIPT
Universal Forgery Attack against GCM-RUP
Yanbin Li12 Gaetan Leurent3 Meiqin Wang12 Wei Wang12Guoyan Zhang12 Yu Liu12
1 School of Cyber Science and Technology Shandong University Jinan China2 Key Laboratory of Cryptologic Technology and Information Security(Shandong
University) Ministry of Education Jinan China3 Inria Paris France
Abstract Authenticated encryption (AE) schemes are widely used tosecure communications because they can guarantee both confidentialityand authenticity of a message In addition to the standard AE securitynotion some recent schemes offer extra robustness ie they maintainsecurity in some misuse scenarios In particular Ashur Dunkelman andLuykx proposed a generic AE construction at CRYPTOrsquo17 that is secureeven when releasing unverified plaintext (the RUP setting) and a con-crete instantiation GCM-RUP The designers proved that GCM-RUP issecure up to the birthday bound in the nonce-respecting modelIn this paper we perform a birthday-bound universal forgery attackagainst GCM-RUP matching the bound of the proof While there aresimple distinguishing attacks with birthday complexity on GCM-RUPour attack is much stronger we have a partial key recovery leading touniversal forgeries For reference the best known universal forgery attackagainst GCM requires 22n3 operations and many schemes do not haveany known universal forgery attacks faster than 2n This suggests thatGCM-RUP offers a different security trade-off than GCM stronger pro-tection in the RUP setting but more fragile when the data complexityreaches the birthday bound In order to avoid this attack we suggest aminor modification of GCM-RUP that seems to offer better robustnessat the birthday boundKeywords GCM-RUP partial key recovery universal forgery birthdaybound
1 Introduction
Authenticated encryption (AE) schemes aim to achieve both confidentiality andauthentication of the encapsulated data The first AE schemes were designedby combining a symmetric encryption scheme with a message authenticationcode (MAC) The encryption scheme provides confidentiality while the messageauthentication code ensures authenticity Several generic composition schemeshave been formalized and analyzed by Bellare and Namprempre [3] Encrypt-and-MAC MAC-then-Encrypt and Encrypt-then-MAC Their analysis consid-ers black-box composition without specific details of the underlying symmetricencryption scheme and MAC in order to only focus on the security of the generic
composition at a high level Their analysis shows that only the Encrypt-then-MAC composition is generically secure
Later new AE modes have been proposed [111830] to provide confidential-ity and authentication in a single scheme which is more efficient than the genericcomposition of conventional mechanisms AE schemes are now widely used in In-ternet protocols and there is an ongoing effort to design and standardize new AEschemes with the recent CAESAR competition [35] and the NIST lightweightstandardisation effort [38] currently running The design and cryptanalysis ofAE schemes is a very active topic in the cryptographic community today
One of the most widely used AE schemes today is the GaloisCounter mode(GCM) [823] an AE scheme following the Encrypt-then-MAC paradigm GCMhas been widely deployed thanks to its excellent software performance and hard-ware support and because there are no intellectual property restrictions to itsuse It has been standardized in TLS [7] ISOIEC [37] NSA Suite B [39] andIEEE 8021 [36] GCM encrypts data using a variation of the counter mode ofoperation (CTR) which requires a single block cipher encryption per messageblock and does not need to perform block cipher decryption even when decrypt-ing the message The ciphertext and associated data are authenticated with aWegman-Carter-Shoup authenticator where the keyed universal hash functionis a polynomial evaluation over a binary Galois field However GCM is not ro-bust against implementation errors or misuse In particular if a nonce is usedjust two times the confidentiality and authentication for GCM are compromisedwith Jouxrsquos ldquoforbidden attackrdquo [17] GCM also loses its security if a device re-leases the plaintext corresponding to invalid ciphertext before verifying the tagTherefore variants of GCM have been proposed to achieve some more robustsecurity notions
In 2015 Gueron et al presented GCM-SIV [12] combining GCMrsquos underlyingcomponents with the SIV paradigm designed by Rogaway and Shrimpton [31] toprovide nonce-misuse resistance Later at CRYPTOrsquo17 Ashur et al introduceda generic construction of AE scheme using a tweakable block cipher (TBC)which resists attacks in the RUP setting [2] (with Release of Unverified Plain-text) Based on the generic AE scheme an instantiation GCM-RUP with high-efficiency is put forward using AES-GCMrsquos components The designers provedthat GCM-RUP is secure up to the birthday bound in the nonce-respectingmodel and RUP setting On the other hand no attacks are known so far againstthe authentication part of GCM-RUP Therefore we do not know whether theproof is tight and we do not know what kind of security degradation to expectafter the birthday bound
11 Contributions
In this paper we describe a universal forgery attack against GCM-RUP withtime and data complexity close to 2n2 where n denotes the block size of theunderlying block cipher This attack matches the security proof given in [2]showing that it is tight However our main result is not only about tightnessof the (birthday) security bound but rather about how badly the construction
2
of GCM-RUP breaks when the bound is reached a universal forgery attack ismuch stronger than a distinguishing attack
This is significant because no similar attack is known against GCM on theone hand there are attacks with roughly
radicntimes2n2 queries and time 2n [202226]
and on the other hand attacks withradicntimes 22n3 queries and time ntimes 22n3 [20]
Our results show that universal forgery attacks against GCM-RUP are easierthan against GCM even though the security bounds from the proofs are similarand both proofs are known to be tight (with simple distinguishing attacks)
Our attack is based on the following techniques
ndash We show that inner collisions in the authentication part of GCM-RUP canbe detected efficiently and give out the output difference of the universalhash function GHASHK2
ndash Due to the structure of GHASH we build a polynomial equation in K2 whichcan be solved efficiently
ndash Finally when K2 is known we can sign arbitrary messages This defines auniversal forgery attack with complexity 2n2 (time and data)
Since our attack points out a weakness in the structure of GCM-RUP we alsosuggest a minor modification to GCM-RUP to prevent the leakage of the outputof GHASHK2
by using an extra block cipher call EK4to encrypt the output of
GHASHK2 The objective of our variant is to achieve better security in the RUP
setting and in the classical settingMany designs use GHASH because of its high performances However the
output of GHASH may leak information about the key as exploited in ourattack Therefore the stronger GHASH variant we proposed could be applied tonot only GCM like scheme but also future GHASH-based designs
12 Related Works
Modes of operation are usually studied with security proofs but there is a grow-ing interest in generic attacks showing how the security degrades when the proofdoesnrsquot hold In particular many attacks focus on (partial) key-recovery mostmodes of operations have distinguishing attacks with birthday complexity 2n2but key-recovery and universal forgery attacks with the same complexity showthat some schemes are more fragile than others when approaching the birthdaybound
For instance in 1996 Preneel and Van Oorshot gave a full key recovery attackagainst the Envelope MAC with complexity 2n2 [29] In 2003 Mitchell studiedseveral variants of CBC-MAC and compared their security against key-recoveryattacks [25] for some schemes the best attack reported requires an exhaustivesearch over an n-bit key but attacks with birthday complexity can recover apartial key for TMAC and OMAC [33] leading to stronger forgery attacks Morerecently a series of works has shown birthday attacks against HMAC with fullkey recovery when the hash function uses an internal checksum [19] and universalforgeries [27] in general During the CAESAR competition it was pointed out
3
that the security of AEZ [14] collapses at the birthday bound with a full keyrecovery [10] The scheme was modified to avoid the attack but a variant is stillapplicable [6]
Besides MAC algorithms there has also been work on message-recovery at-tacks on encryption modes with a stronger impact than distinguishers Thewell-known collision attack against CBC has been shown to be usable in prac-tice with 64-bit block ciphers [4] and message-recovery attacks have also beenshown against the CTR mode [20] even though the well-known distinguisher ismuch weaker
All these results clearly show the importance of cryptanalysis work againstmodes of operation even when the attacks do not contradict the proofs Inaddition this type of work sometimes detects mistakes in the proofs as shownwith GCM [16] and OCB2 [15]
13 Organization
The remainder of this paper is organized as follows Section 2 gives the prelimi-naries Section 3 briefly describes the generic construction and its instantiationGCM-RUP We recover the authentication key in Section 4 and a universalforgery is provided in Section 5 Section 6 recommends a minor modification toGCM-RUP to resist our forgery attack Finally Section 7 concludes this paper
2 Preliminaries
This section will show notations operations some cryptographic schemes andsecurity definitions used in this paper
21 Notations and Operations
ndash n The block size of the block cipher (for GCM-RUP n = 128)ndash 0 1lex The set of strings with length no greater than x bitsndash 0 1lowast The set of strings with arbitrary lengthndash |X| Length of X if X isin 0 1lowastndash X oplus Y Bit-wise exclusive OR of X and Y if XY isin 0 1lowastndash X middot Y Galois field multiplication of X and Y if XY isin 0 1nndash XY or XY Concatenation of X and Y if XY isin 0 1lowastndash ε The empty stringndash 0n n-bit string consisting of only zerosndash lenn(X) Length of X modulo 2n as an n-bit stringndash X0lowastn X padded on the right with 0-bits to get a string of length a multiple
of nndash |X|n Xrsquos length in n-bit blocks |X|n = d|X|nendash X[1]X[2] X[x]
nlarrminus X Split X into substrings such that |X[i]| = n fori = 1 xminus 1 0 lt |X[x]| le n and X[1] X[x] = X
4
ndash int(Y ) Map the j bits string Y = ajminus1 a1a0 to the integer i = ajminus12jminus1+middot middot middot+ a12 + a0
ndash strj(i) Map the integer i = ajminus12jminus1 + middot middot middot+a12+a0 lt 2j to the j-bit stringajminus1 a1a0
ndash incm(X) The function which adds one modulo 2m to X when viewed as aninteger incm(X) = strm(int(X) + 1 mod 2m)
ndash msbj(X) j most significant bits of X msbj(aiminus1 a1a0) = aiminus1 aaminusj ndash lsbj(X) j least significant bits of X lsbj(aiminus1 a1a0) = ajminus1 a0ndash F larr E(Cmiddot) Define F (X) = E(CX) where C is fixed as constant
ndash a= b Evaluate to gt if a equals b and perp otherwise
22 AE Separated AE and TBC
An authenticated encryption scheme is a symmetric key algorithm that providesboth confidentiality and authenticity Bellare and Namprempre [3] defined theformal notion of authenticated encryption as follows
Definition 1 (AE [3]) An AE scheme consists of a pair of functions theencryption function Enc and the decryption function Dec
Enc K timesN timesAtimesMrarr CDec K timesN timesAtimes C rarrMcup perp
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space and perp an error symbol not contained inM which represents verification failure It must be the case that for all K isin KN isin N A isin A and M isinM
DecNK(AEncNK(AM)) = M
The decryption process typically has two phases plaintext computation andverification the plaintext obtained from decryption is only given out after suc-cessful verification However keeping the full plaintext in memory can be an issuefor constrained devices and side-channel attacks can potentially recover infor-mation about the plaintext while it is decrypted Therefore new models havebeen introduced to take into account the effect of releasing unverified plaintextIn particular Andreeva et al [1] defined separated AE schemes where the plain-text computation is disconnected from verification in this model the decryptionfunction always releases the plaintext without verifying it Formally a separatedAE scheme is defined as
Definition 2 (separated AE [1]) A separated AE scheme consists of a tripletof functions the encryption function SEnc the decryption function SDec andthe verification function SVer where
SEnc K timesN timesAtimesMrarr CSDec K timesN timesAtimes C rarrM
SVer K timesN timesAtimes C rarr gtperp
5
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space The special symbols gt and perp indicate thesuccess and failure of the verification respectively It must be the case that forall K isin K N isin N A isin A and M isinM
SDecNK(ASEncNK(AM)) = M and SVerNK(ASEncNK(AM)) = gt
Finally we need to introduce the notion of tweakable block cipher (TBC)which is used in GCM-RUP A tweakable block cipher is a generalization of ablock cipher with an additional tweak input generating a family of independentblock ciphers [21]
Definition 3 (TBC [21]) A TBC could be regarded as a pair of functions(ED) with
E K times T times X rarr X D K times T times X rarr X
where K is the key space T is the tweak space and X is the domain For allK isin K T isin T and X isin X ETK is a permutation of X with DTK as inverse and
DTK(ETK(X)) = X
3 Brief Description of GCM-RUP [2]
Ashur Dunkelman and Luykx proposed a generic construction of an efficientseparated AE scheme at CRYPTOrsquo17 [2] Their construction uses an encryptionscheme and a TBC and achieves security in the RUP setting assuming that theencryption scheme is strongly indistinguishable-from-random-bits (SRND) [1332] and the TBC is a strong pseudorandom permutation (SPRP) [32] Basedon the generic construction a dedicated instantiation GCM-RUP is built usingAES-GCMrsquos primitives This section will describe this construction and GCM-RUP
31 Generic Construction with RUP Security [2]
Let (EncDec) be an encryption scheme (without authentication) with K the keyspace N the nonce spaceM the message space and C the ciphertext space Let(ED) denote a TBC with key space L tweak space T = C and domain X = N Then define the separated AE scheme (SEncSDecSVer) as follows
SEncNKL(AM) =(S = EACL (N) C = EncNK(αM)
)
SDecKL(ASC) = lsb|C|minusτ (DecDAC
L (S)K (C))
SVerKL(ASC) = msbτ (DecDAC
L (S)K (C))
= α
6
where (KL) isin KtimesL is the key N is the nonce space A is the associated dataspaceM is the message space N timesC is the ciphertext space and α isin 0 1τ issome pre-defined constant The construction is depicted in Fig 1 The proceduresof encryption decryption and verification are illustrated in Fig 1 (a) (b) and(c) respectively
The novelty of the generic construction is that the nonce is encrypted usingthe ciphertext as a tweak This provides security in the RUP setting becauseif an attacker modifies the ciphertext or the encrypted nonce the decryptionoracle will output a random plaintext The authentication security comes fromthe redundancy in the plaintext with the pre-defined constant α (known byboth sides) the length of α determines the security level In order to maintainsecurity up to the birthday bound on the block size the size of α and the noncesize are fixed to be the same as the block size n
32 GCM-RUP [2]
GCM-RUP is an instantiation of the generic construction using the counter mode(CTR) for encryption and the XTX construction [24] with GHASH for the tweak-able block cipher It reuses the component of GCM in order to benefit from theefficient implementations available while offering more robustness with securityin the RUP setting Before describing GCM-RUP itself we first define the prim-itives borrowed from GCM Let n denote the block length of the available blockcipher in this case n = 128
The first one is the universal hash function GHASH which takes a key H andtwo strings M and M prime as input (in GCM GHASH is used in the Wegman-Carterconstruction to build a MAC [34]) The core of GHASH is defined with a singlestring M constituted of full blocks and evaluates a polynomial defined from Mat H as follows
GHASHcoreH(M) =
|M |nminus1oplusi=0
M [i] middotH |M |nminusi (1)
The symbol ldquomiddotrdquo represents multiplication in the Galois field GF (2n) All thecomputations are performed by the rule of operations defined in finite fieldGHASH is defined from GHASHcore it takes two strings M and M prime as inputzero-pads and concatenates them and adds the binary representation of thelengths of M and M prime before processing the result through GHASHcore
GHASHH(MM prime) = GHASHcoreH(M0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|))
where the function strj(i) maps the integer i = ajminus12jminus1 + middot middot middot+ a12 + a0 lt 2j
to the j-bit string ajminus1 a1a0 Algorithm 1 describes the procedure of thefunction
The second important auxiliary function is the CTR mode Given a countervalue X a positive integer m and a predefined keyed function F as input thisfunction CTR[F ](Xm) outputs a string S with m blocks Each block of S is
7
N M
S C
α
(a) Encryption
S C
EL
EncK
DL
DecK
M
lsb|C|-τ
(b) Decryption
S C
DL
DecK
msbτ
(c) Verification
α
A
A A
Fig 1 Generic Construction with RUP Security
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
EncK1
EK2K3
G
In
Out
Fig 2 GCM-RUP (Figure from [2])
8
Algorithm 1 GHASHH(MM prime)
Input H isin 0 1n M isin 0 1len(2n2minus1) M prime isin 0 1len(2
n2minus1)
Output Y isin 0 1n1 X larrM0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|)2 X[1]X[2] X[x]
nlarrminus X3 Y larr 0n
4 for 1 le j le x do5 Y larr H middot (Y oplusX[j])6 end for7 return Y
computed by S[i] = F (incix(X)) where incx represents counter incrementationadding one modulo 2x to X with the convention that incix represents i successiveimplementations The CTR mode is defined in Algorithm 2
Algorithm 2 CTR[F ](Xm)
Input F 0 1x rarr 0 1n X isin 0 1x m isin NOutput S isin 0 1mn1 I larr X2 for 1 le j le m do3 S[j]larr F (I)4 I larr incx(I)5 end for6 S larr S[1]S[2] S[m]7 return S
Finally GCM-RUP uses three keys K1 is used for the CTR encryption andK2 and K3 are used for the TBC following the XTX construction (K2 is usedfor GHASH and K3 is used for the underlying block cipher call) GCM-RUPencrypts a message M together with its associated data A and a nonce N intoa ciphertext C and an encrypted nonce S The associated data the message andthe ciphertext are all seen as sequences of blocks of length n GCM-RUP followsthe generic construction given above and is described in Fig 2 with pseudocodein Algorithm 3 (with ε an empty string) In the figure EncK1
corresponds toCTR mode encryption and EK2K3
to the TBC
As an instantiation of the generic construction with RUP security GCM-RUPis secure under RUP setting More precisely GCM-RUP can provide security upto the birthday bound on the block size (because this is the security of theunderlying AE scheme and TBC)
9
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
composition at a high level Their analysis shows that only the Encrypt-then-MAC composition is generically secure
Later new AE modes have been proposed [111830] to provide confidential-ity and authentication in a single scheme which is more efficient than the genericcomposition of conventional mechanisms AE schemes are now widely used in In-ternet protocols and there is an ongoing effort to design and standardize new AEschemes with the recent CAESAR competition [35] and the NIST lightweightstandardisation effort [38] currently running The design and cryptanalysis ofAE schemes is a very active topic in the cryptographic community today
One of the most widely used AE schemes today is the GaloisCounter mode(GCM) [823] an AE scheme following the Encrypt-then-MAC paradigm GCMhas been widely deployed thanks to its excellent software performance and hard-ware support and because there are no intellectual property restrictions to itsuse It has been standardized in TLS [7] ISOIEC [37] NSA Suite B [39] andIEEE 8021 [36] GCM encrypts data using a variation of the counter mode ofoperation (CTR) which requires a single block cipher encryption per messageblock and does not need to perform block cipher decryption even when decrypt-ing the message The ciphertext and associated data are authenticated with aWegman-Carter-Shoup authenticator where the keyed universal hash functionis a polynomial evaluation over a binary Galois field However GCM is not ro-bust against implementation errors or misuse In particular if a nonce is usedjust two times the confidentiality and authentication for GCM are compromisedwith Jouxrsquos ldquoforbidden attackrdquo [17] GCM also loses its security if a device re-leases the plaintext corresponding to invalid ciphertext before verifying the tagTherefore variants of GCM have been proposed to achieve some more robustsecurity notions
In 2015 Gueron et al presented GCM-SIV [12] combining GCMrsquos underlyingcomponents with the SIV paradigm designed by Rogaway and Shrimpton [31] toprovide nonce-misuse resistance Later at CRYPTOrsquo17 Ashur et al introduceda generic construction of AE scheme using a tweakable block cipher (TBC)which resists attacks in the RUP setting [2] (with Release of Unverified Plain-text) Based on the generic AE scheme an instantiation GCM-RUP with high-efficiency is put forward using AES-GCMrsquos components The designers provedthat GCM-RUP is secure up to the birthday bound in the nonce-respectingmodel and RUP setting On the other hand no attacks are known so far againstthe authentication part of GCM-RUP Therefore we do not know whether theproof is tight and we do not know what kind of security degradation to expectafter the birthday bound
11 Contributions
In this paper we describe a universal forgery attack against GCM-RUP withtime and data complexity close to 2n2 where n denotes the block size of theunderlying block cipher This attack matches the security proof given in [2]showing that it is tight However our main result is not only about tightnessof the (birthday) security bound but rather about how badly the construction
2
of GCM-RUP breaks when the bound is reached a universal forgery attack ismuch stronger than a distinguishing attack
This is significant because no similar attack is known against GCM on theone hand there are attacks with roughly
radicntimes2n2 queries and time 2n [202226]
and on the other hand attacks withradicntimes 22n3 queries and time ntimes 22n3 [20]
Our results show that universal forgery attacks against GCM-RUP are easierthan against GCM even though the security bounds from the proofs are similarand both proofs are known to be tight (with simple distinguishing attacks)
Our attack is based on the following techniques
ndash We show that inner collisions in the authentication part of GCM-RUP canbe detected efficiently and give out the output difference of the universalhash function GHASHK2
ndash Due to the structure of GHASH we build a polynomial equation in K2 whichcan be solved efficiently
ndash Finally when K2 is known we can sign arbitrary messages This defines auniversal forgery attack with complexity 2n2 (time and data)
Since our attack points out a weakness in the structure of GCM-RUP we alsosuggest a minor modification to GCM-RUP to prevent the leakage of the outputof GHASHK2
by using an extra block cipher call EK4to encrypt the output of
GHASHK2 The objective of our variant is to achieve better security in the RUP
setting and in the classical settingMany designs use GHASH because of its high performances However the
output of GHASH may leak information about the key as exploited in ourattack Therefore the stronger GHASH variant we proposed could be applied tonot only GCM like scheme but also future GHASH-based designs
12 Related Works
Modes of operation are usually studied with security proofs but there is a grow-ing interest in generic attacks showing how the security degrades when the proofdoesnrsquot hold In particular many attacks focus on (partial) key-recovery mostmodes of operations have distinguishing attacks with birthday complexity 2n2but key-recovery and universal forgery attacks with the same complexity showthat some schemes are more fragile than others when approaching the birthdaybound
For instance in 1996 Preneel and Van Oorshot gave a full key recovery attackagainst the Envelope MAC with complexity 2n2 [29] In 2003 Mitchell studiedseveral variants of CBC-MAC and compared their security against key-recoveryattacks [25] for some schemes the best attack reported requires an exhaustivesearch over an n-bit key but attacks with birthday complexity can recover apartial key for TMAC and OMAC [33] leading to stronger forgery attacks Morerecently a series of works has shown birthday attacks against HMAC with fullkey recovery when the hash function uses an internal checksum [19] and universalforgeries [27] in general During the CAESAR competition it was pointed out
3
that the security of AEZ [14] collapses at the birthday bound with a full keyrecovery [10] The scheme was modified to avoid the attack but a variant is stillapplicable [6]
Besides MAC algorithms there has also been work on message-recovery at-tacks on encryption modes with a stronger impact than distinguishers Thewell-known collision attack against CBC has been shown to be usable in prac-tice with 64-bit block ciphers [4] and message-recovery attacks have also beenshown against the CTR mode [20] even though the well-known distinguisher ismuch weaker
All these results clearly show the importance of cryptanalysis work againstmodes of operation even when the attacks do not contradict the proofs Inaddition this type of work sometimes detects mistakes in the proofs as shownwith GCM [16] and OCB2 [15]
13 Organization
The remainder of this paper is organized as follows Section 2 gives the prelimi-naries Section 3 briefly describes the generic construction and its instantiationGCM-RUP We recover the authentication key in Section 4 and a universalforgery is provided in Section 5 Section 6 recommends a minor modification toGCM-RUP to resist our forgery attack Finally Section 7 concludes this paper
2 Preliminaries
This section will show notations operations some cryptographic schemes andsecurity definitions used in this paper
21 Notations and Operations
ndash n The block size of the block cipher (for GCM-RUP n = 128)ndash 0 1lex The set of strings with length no greater than x bitsndash 0 1lowast The set of strings with arbitrary lengthndash |X| Length of X if X isin 0 1lowastndash X oplus Y Bit-wise exclusive OR of X and Y if XY isin 0 1lowastndash X middot Y Galois field multiplication of X and Y if XY isin 0 1nndash XY or XY Concatenation of X and Y if XY isin 0 1lowastndash ε The empty stringndash 0n n-bit string consisting of only zerosndash lenn(X) Length of X modulo 2n as an n-bit stringndash X0lowastn X padded on the right with 0-bits to get a string of length a multiple
of nndash |X|n Xrsquos length in n-bit blocks |X|n = d|X|nendash X[1]X[2] X[x]
nlarrminus X Split X into substrings such that |X[i]| = n fori = 1 xminus 1 0 lt |X[x]| le n and X[1] X[x] = X
4
ndash int(Y ) Map the j bits string Y = ajminus1 a1a0 to the integer i = ajminus12jminus1+middot middot middot+ a12 + a0
ndash strj(i) Map the integer i = ajminus12jminus1 + middot middot middot+a12+a0 lt 2j to the j-bit stringajminus1 a1a0
ndash incm(X) The function which adds one modulo 2m to X when viewed as aninteger incm(X) = strm(int(X) + 1 mod 2m)
ndash msbj(X) j most significant bits of X msbj(aiminus1 a1a0) = aiminus1 aaminusj ndash lsbj(X) j least significant bits of X lsbj(aiminus1 a1a0) = ajminus1 a0ndash F larr E(Cmiddot) Define F (X) = E(CX) where C is fixed as constant
ndash a= b Evaluate to gt if a equals b and perp otherwise
22 AE Separated AE and TBC
An authenticated encryption scheme is a symmetric key algorithm that providesboth confidentiality and authenticity Bellare and Namprempre [3] defined theformal notion of authenticated encryption as follows
Definition 1 (AE [3]) An AE scheme consists of a pair of functions theencryption function Enc and the decryption function Dec
Enc K timesN timesAtimesMrarr CDec K timesN timesAtimes C rarrMcup perp
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space and perp an error symbol not contained inM which represents verification failure It must be the case that for all K isin KN isin N A isin A and M isinM
DecNK(AEncNK(AM)) = M
The decryption process typically has two phases plaintext computation andverification the plaintext obtained from decryption is only given out after suc-cessful verification However keeping the full plaintext in memory can be an issuefor constrained devices and side-channel attacks can potentially recover infor-mation about the plaintext while it is decrypted Therefore new models havebeen introduced to take into account the effect of releasing unverified plaintextIn particular Andreeva et al [1] defined separated AE schemes where the plain-text computation is disconnected from verification in this model the decryptionfunction always releases the plaintext without verifying it Formally a separatedAE scheme is defined as
Definition 2 (separated AE [1]) A separated AE scheme consists of a tripletof functions the encryption function SEnc the decryption function SDec andthe verification function SVer where
SEnc K timesN timesAtimesMrarr CSDec K timesN timesAtimes C rarrM
SVer K timesN timesAtimes C rarr gtperp
5
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space The special symbols gt and perp indicate thesuccess and failure of the verification respectively It must be the case that forall K isin K N isin N A isin A and M isinM
SDecNK(ASEncNK(AM)) = M and SVerNK(ASEncNK(AM)) = gt
Finally we need to introduce the notion of tweakable block cipher (TBC)which is used in GCM-RUP A tweakable block cipher is a generalization of ablock cipher with an additional tweak input generating a family of independentblock ciphers [21]
Definition 3 (TBC [21]) A TBC could be regarded as a pair of functions(ED) with
E K times T times X rarr X D K times T times X rarr X
where K is the key space T is the tweak space and X is the domain For allK isin K T isin T and X isin X ETK is a permutation of X with DTK as inverse and
DTK(ETK(X)) = X
3 Brief Description of GCM-RUP [2]
Ashur Dunkelman and Luykx proposed a generic construction of an efficientseparated AE scheme at CRYPTOrsquo17 [2] Their construction uses an encryptionscheme and a TBC and achieves security in the RUP setting assuming that theencryption scheme is strongly indistinguishable-from-random-bits (SRND) [1332] and the TBC is a strong pseudorandom permutation (SPRP) [32] Basedon the generic construction a dedicated instantiation GCM-RUP is built usingAES-GCMrsquos primitives This section will describe this construction and GCM-RUP
31 Generic Construction with RUP Security [2]
Let (EncDec) be an encryption scheme (without authentication) with K the keyspace N the nonce spaceM the message space and C the ciphertext space Let(ED) denote a TBC with key space L tweak space T = C and domain X = N Then define the separated AE scheme (SEncSDecSVer) as follows
SEncNKL(AM) =(S = EACL (N) C = EncNK(αM)
)
SDecKL(ASC) = lsb|C|minusτ (DecDAC
L (S)K (C))
SVerKL(ASC) = msbτ (DecDAC
L (S)K (C))
= α
6
where (KL) isin KtimesL is the key N is the nonce space A is the associated dataspaceM is the message space N timesC is the ciphertext space and α isin 0 1τ issome pre-defined constant The construction is depicted in Fig 1 The proceduresof encryption decryption and verification are illustrated in Fig 1 (a) (b) and(c) respectively
The novelty of the generic construction is that the nonce is encrypted usingthe ciphertext as a tweak This provides security in the RUP setting becauseif an attacker modifies the ciphertext or the encrypted nonce the decryptionoracle will output a random plaintext The authentication security comes fromthe redundancy in the plaintext with the pre-defined constant α (known byboth sides) the length of α determines the security level In order to maintainsecurity up to the birthday bound on the block size the size of α and the noncesize are fixed to be the same as the block size n
32 GCM-RUP [2]
GCM-RUP is an instantiation of the generic construction using the counter mode(CTR) for encryption and the XTX construction [24] with GHASH for the tweak-able block cipher It reuses the component of GCM in order to benefit from theefficient implementations available while offering more robustness with securityin the RUP setting Before describing GCM-RUP itself we first define the prim-itives borrowed from GCM Let n denote the block length of the available blockcipher in this case n = 128
The first one is the universal hash function GHASH which takes a key H andtwo strings M and M prime as input (in GCM GHASH is used in the Wegman-Carterconstruction to build a MAC [34]) The core of GHASH is defined with a singlestring M constituted of full blocks and evaluates a polynomial defined from Mat H as follows
GHASHcoreH(M) =
|M |nminus1oplusi=0
M [i] middotH |M |nminusi (1)
The symbol ldquomiddotrdquo represents multiplication in the Galois field GF (2n) All thecomputations are performed by the rule of operations defined in finite fieldGHASH is defined from GHASHcore it takes two strings M and M prime as inputzero-pads and concatenates them and adds the binary representation of thelengths of M and M prime before processing the result through GHASHcore
GHASHH(MM prime) = GHASHcoreH(M0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|))
where the function strj(i) maps the integer i = ajminus12jminus1 + middot middot middot+ a12 + a0 lt 2j
to the j-bit string ajminus1 a1a0 Algorithm 1 describes the procedure of thefunction
The second important auxiliary function is the CTR mode Given a countervalue X a positive integer m and a predefined keyed function F as input thisfunction CTR[F ](Xm) outputs a string S with m blocks Each block of S is
7
N M
S C
α
(a) Encryption
S C
EL
EncK
DL
DecK
M
lsb|C|-τ
(b) Decryption
S C
DL
DecK
msbτ
(c) Verification
α
A
A A
Fig 1 Generic Construction with RUP Security
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
EncK1
EK2K3
G
In
Out
Fig 2 GCM-RUP (Figure from [2])
8
Algorithm 1 GHASHH(MM prime)
Input H isin 0 1n M isin 0 1len(2n2minus1) M prime isin 0 1len(2
n2minus1)
Output Y isin 0 1n1 X larrM0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|)2 X[1]X[2] X[x]
nlarrminus X3 Y larr 0n
4 for 1 le j le x do5 Y larr H middot (Y oplusX[j])6 end for7 return Y
computed by S[i] = F (incix(X)) where incx represents counter incrementationadding one modulo 2x to X with the convention that incix represents i successiveimplementations The CTR mode is defined in Algorithm 2
Algorithm 2 CTR[F ](Xm)
Input F 0 1x rarr 0 1n X isin 0 1x m isin NOutput S isin 0 1mn1 I larr X2 for 1 le j le m do3 S[j]larr F (I)4 I larr incx(I)5 end for6 S larr S[1]S[2] S[m]7 return S
Finally GCM-RUP uses three keys K1 is used for the CTR encryption andK2 and K3 are used for the TBC following the XTX construction (K2 is usedfor GHASH and K3 is used for the underlying block cipher call) GCM-RUPencrypts a message M together with its associated data A and a nonce N intoa ciphertext C and an encrypted nonce S The associated data the message andthe ciphertext are all seen as sequences of blocks of length n GCM-RUP followsthe generic construction given above and is described in Fig 2 with pseudocodein Algorithm 3 (with ε an empty string) In the figure EncK1
corresponds toCTR mode encryption and EK2K3
to the TBC
As an instantiation of the generic construction with RUP security GCM-RUPis secure under RUP setting More precisely GCM-RUP can provide security upto the birthday bound on the block size (because this is the security of theunderlying AE scheme and TBC)
9
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
of GCM-RUP breaks when the bound is reached a universal forgery attack ismuch stronger than a distinguishing attack
This is significant because no similar attack is known against GCM on theone hand there are attacks with roughly
radicntimes2n2 queries and time 2n [202226]
and on the other hand attacks withradicntimes 22n3 queries and time ntimes 22n3 [20]
Our results show that universal forgery attacks against GCM-RUP are easierthan against GCM even though the security bounds from the proofs are similarand both proofs are known to be tight (with simple distinguishing attacks)
Our attack is based on the following techniques
ndash We show that inner collisions in the authentication part of GCM-RUP canbe detected efficiently and give out the output difference of the universalhash function GHASHK2
ndash Due to the structure of GHASH we build a polynomial equation in K2 whichcan be solved efficiently
ndash Finally when K2 is known we can sign arbitrary messages This defines auniversal forgery attack with complexity 2n2 (time and data)
Since our attack points out a weakness in the structure of GCM-RUP we alsosuggest a minor modification to GCM-RUP to prevent the leakage of the outputof GHASHK2
by using an extra block cipher call EK4to encrypt the output of
GHASHK2 The objective of our variant is to achieve better security in the RUP
setting and in the classical settingMany designs use GHASH because of its high performances However the
output of GHASH may leak information about the key as exploited in ourattack Therefore the stronger GHASH variant we proposed could be applied tonot only GCM like scheme but also future GHASH-based designs
12 Related Works
Modes of operation are usually studied with security proofs but there is a grow-ing interest in generic attacks showing how the security degrades when the proofdoesnrsquot hold In particular many attacks focus on (partial) key-recovery mostmodes of operations have distinguishing attacks with birthday complexity 2n2but key-recovery and universal forgery attacks with the same complexity showthat some schemes are more fragile than others when approaching the birthdaybound
For instance in 1996 Preneel and Van Oorshot gave a full key recovery attackagainst the Envelope MAC with complexity 2n2 [29] In 2003 Mitchell studiedseveral variants of CBC-MAC and compared their security against key-recoveryattacks [25] for some schemes the best attack reported requires an exhaustivesearch over an n-bit key but attacks with birthday complexity can recover apartial key for TMAC and OMAC [33] leading to stronger forgery attacks Morerecently a series of works has shown birthday attacks against HMAC with fullkey recovery when the hash function uses an internal checksum [19] and universalforgeries [27] in general During the CAESAR competition it was pointed out
3
that the security of AEZ [14] collapses at the birthday bound with a full keyrecovery [10] The scheme was modified to avoid the attack but a variant is stillapplicable [6]
Besides MAC algorithms there has also been work on message-recovery at-tacks on encryption modes with a stronger impact than distinguishers Thewell-known collision attack against CBC has been shown to be usable in prac-tice with 64-bit block ciphers [4] and message-recovery attacks have also beenshown against the CTR mode [20] even though the well-known distinguisher ismuch weaker
All these results clearly show the importance of cryptanalysis work againstmodes of operation even when the attacks do not contradict the proofs Inaddition this type of work sometimes detects mistakes in the proofs as shownwith GCM [16] and OCB2 [15]
13 Organization
The remainder of this paper is organized as follows Section 2 gives the prelimi-naries Section 3 briefly describes the generic construction and its instantiationGCM-RUP We recover the authentication key in Section 4 and a universalforgery is provided in Section 5 Section 6 recommends a minor modification toGCM-RUP to resist our forgery attack Finally Section 7 concludes this paper
2 Preliminaries
This section will show notations operations some cryptographic schemes andsecurity definitions used in this paper
21 Notations and Operations
ndash n The block size of the block cipher (for GCM-RUP n = 128)ndash 0 1lex The set of strings with length no greater than x bitsndash 0 1lowast The set of strings with arbitrary lengthndash |X| Length of X if X isin 0 1lowastndash X oplus Y Bit-wise exclusive OR of X and Y if XY isin 0 1lowastndash X middot Y Galois field multiplication of X and Y if XY isin 0 1nndash XY or XY Concatenation of X and Y if XY isin 0 1lowastndash ε The empty stringndash 0n n-bit string consisting of only zerosndash lenn(X) Length of X modulo 2n as an n-bit stringndash X0lowastn X padded on the right with 0-bits to get a string of length a multiple
of nndash |X|n Xrsquos length in n-bit blocks |X|n = d|X|nendash X[1]X[2] X[x]
nlarrminus X Split X into substrings such that |X[i]| = n fori = 1 xminus 1 0 lt |X[x]| le n and X[1] X[x] = X
4
ndash int(Y ) Map the j bits string Y = ajminus1 a1a0 to the integer i = ajminus12jminus1+middot middot middot+ a12 + a0
ndash strj(i) Map the integer i = ajminus12jminus1 + middot middot middot+a12+a0 lt 2j to the j-bit stringajminus1 a1a0
ndash incm(X) The function which adds one modulo 2m to X when viewed as aninteger incm(X) = strm(int(X) + 1 mod 2m)
ndash msbj(X) j most significant bits of X msbj(aiminus1 a1a0) = aiminus1 aaminusj ndash lsbj(X) j least significant bits of X lsbj(aiminus1 a1a0) = ajminus1 a0ndash F larr E(Cmiddot) Define F (X) = E(CX) where C is fixed as constant
ndash a= b Evaluate to gt if a equals b and perp otherwise
22 AE Separated AE and TBC
An authenticated encryption scheme is a symmetric key algorithm that providesboth confidentiality and authenticity Bellare and Namprempre [3] defined theformal notion of authenticated encryption as follows
Definition 1 (AE [3]) An AE scheme consists of a pair of functions theencryption function Enc and the decryption function Dec
Enc K timesN timesAtimesMrarr CDec K timesN timesAtimes C rarrMcup perp
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space and perp an error symbol not contained inM which represents verification failure It must be the case that for all K isin KN isin N A isin A and M isinM
DecNK(AEncNK(AM)) = M
The decryption process typically has two phases plaintext computation andverification the plaintext obtained from decryption is only given out after suc-cessful verification However keeping the full plaintext in memory can be an issuefor constrained devices and side-channel attacks can potentially recover infor-mation about the plaintext while it is decrypted Therefore new models havebeen introduced to take into account the effect of releasing unverified plaintextIn particular Andreeva et al [1] defined separated AE schemes where the plain-text computation is disconnected from verification in this model the decryptionfunction always releases the plaintext without verifying it Formally a separatedAE scheme is defined as
Definition 2 (separated AE [1]) A separated AE scheme consists of a tripletof functions the encryption function SEnc the decryption function SDec andthe verification function SVer where
SEnc K timesN timesAtimesMrarr CSDec K timesN timesAtimes C rarrM
SVer K timesN timesAtimes C rarr gtperp
5
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space The special symbols gt and perp indicate thesuccess and failure of the verification respectively It must be the case that forall K isin K N isin N A isin A and M isinM
SDecNK(ASEncNK(AM)) = M and SVerNK(ASEncNK(AM)) = gt
Finally we need to introduce the notion of tweakable block cipher (TBC)which is used in GCM-RUP A tweakable block cipher is a generalization of ablock cipher with an additional tweak input generating a family of independentblock ciphers [21]
Definition 3 (TBC [21]) A TBC could be regarded as a pair of functions(ED) with
E K times T times X rarr X D K times T times X rarr X
where K is the key space T is the tweak space and X is the domain For allK isin K T isin T and X isin X ETK is a permutation of X with DTK as inverse and
DTK(ETK(X)) = X
3 Brief Description of GCM-RUP [2]
Ashur Dunkelman and Luykx proposed a generic construction of an efficientseparated AE scheme at CRYPTOrsquo17 [2] Their construction uses an encryptionscheme and a TBC and achieves security in the RUP setting assuming that theencryption scheme is strongly indistinguishable-from-random-bits (SRND) [1332] and the TBC is a strong pseudorandom permutation (SPRP) [32] Basedon the generic construction a dedicated instantiation GCM-RUP is built usingAES-GCMrsquos primitives This section will describe this construction and GCM-RUP
31 Generic Construction with RUP Security [2]
Let (EncDec) be an encryption scheme (without authentication) with K the keyspace N the nonce spaceM the message space and C the ciphertext space Let(ED) denote a TBC with key space L tweak space T = C and domain X = N Then define the separated AE scheme (SEncSDecSVer) as follows
SEncNKL(AM) =(S = EACL (N) C = EncNK(αM)
)
SDecKL(ASC) = lsb|C|minusτ (DecDAC
L (S)K (C))
SVerKL(ASC) = msbτ (DecDAC
L (S)K (C))
= α
6
where (KL) isin KtimesL is the key N is the nonce space A is the associated dataspaceM is the message space N timesC is the ciphertext space and α isin 0 1τ issome pre-defined constant The construction is depicted in Fig 1 The proceduresof encryption decryption and verification are illustrated in Fig 1 (a) (b) and(c) respectively
The novelty of the generic construction is that the nonce is encrypted usingthe ciphertext as a tweak This provides security in the RUP setting becauseif an attacker modifies the ciphertext or the encrypted nonce the decryptionoracle will output a random plaintext The authentication security comes fromthe redundancy in the plaintext with the pre-defined constant α (known byboth sides) the length of α determines the security level In order to maintainsecurity up to the birthday bound on the block size the size of α and the noncesize are fixed to be the same as the block size n
32 GCM-RUP [2]
GCM-RUP is an instantiation of the generic construction using the counter mode(CTR) for encryption and the XTX construction [24] with GHASH for the tweak-able block cipher It reuses the component of GCM in order to benefit from theefficient implementations available while offering more robustness with securityin the RUP setting Before describing GCM-RUP itself we first define the prim-itives borrowed from GCM Let n denote the block length of the available blockcipher in this case n = 128
The first one is the universal hash function GHASH which takes a key H andtwo strings M and M prime as input (in GCM GHASH is used in the Wegman-Carterconstruction to build a MAC [34]) The core of GHASH is defined with a singlestring M constituted of full blocks and evaluates a polynomial defined from Mat H as follows
GHASHcoreH(M) =
|M |nminus1oplusi=0
M [i] middotH |M |nminusi (1)
The symbol ldquomiddotrdquo represents multiplication in the Galois field GF (2n) All thecomputations are performed by the rule of operations defined in finite fieldGHASH is defined from GHASHcore it takes two strings M and M prime as inputzero-pads and concatenates them and adds the binary representation of thelengths of M and M prime before processing the result through GHASHcore
GHASHH(MM prime) = GHASHcoreH(M0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|))
where the function strj(i) maps the integer i = ajminus12jminus1 + middot middot middot+ a12 + a0 lt 2j
to the j-bit string ajminus1 a1a0 Algorithm 1 describes the procedure of thefunction
The second important auxiliary function is the CTR mode Given a countervalue X a positive integer m and a predefined keyed function F as input thisfunction CTR[F ](Xm) outputs a string S with m blocks Each block of S is
7
N M
S C
α
(a) Encryption
S C
EL
EncK
DL
DecK
M
lsb|C|-τ
(b) Decryption
S C
DL
DecK
msbτ
(c) Verification
α
A
A A
Fig 1 Generic Construction with RUP Security
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
EncK1
EK2K3
G
In
Out
Fig 2 GCM-RUP (Figure from [2])
8
Algorithm 1 GHASHH(MM prime)
Input H isin 0 1n M isin 0 1len(2n2minus1) M prime isin 0 1len(2
n2minus1)
Output Y isin 0 1n1 X larrM0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|)2 X[1]X[2] X[x]
nlarrminus X3 Y larr 0n
4 for 1 le j le x do5 Y larr H middot (Y oplusX[j])6 end for7 return Y
computed by S[i] = F (incix(X)) where incx represents counter incrementationadding one modulo 2x to X with the convention that incix represents i successiveimplementations The CTR mode is defined in Algorithm 2
Algorithm 2 CTR[F ](Xm)
Input F 0 1x rarr 0 1n X isin 0 1x m isin NOutput S isin 0 1mn1 I larr X2 for 1 le j le m do3 S[j]larr F (I)4 I larr incx(I)5 end for6 S larr S[1]S[2] S[m]7 return S
Finally GCM-RUP uses three keys K1 is used for the CTR encryption andK2 and K3 are used for the TBC following the XTX construction (K2 is usedfor GHASH and K3 is used for the underlying block cipher call) GCM-RUPencrypts a message M together with its associated data A and a nonce N intoa ciphertext C and an encrypted nonce S The associated data the message andthe ciphertext are all seen as sequences of blocks of length n GCM-RUP followsthe generic construction given above and is described in Fig 2 with pseudocodein Algorithm 3 (with ε an empty string) In the figure EncK1
corresponds toCTR mode encryption and EK2K3
to the TBC
As an instantiation of the generic construction with RUP security GCM-RUPis secure under RUP setting More precisely GCM-RUP can provide security upto the birthday bound on the block size (because this is the security of theunderlying AE scheme and TBC)
9
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
that the security of AEZ [14] collapses at the birthday bound with a full keyrecovery [10] The scheme was modified to avoid the attack but a variant is stillapplicable [6]
Besides MAC algorithms there has also been work on message-recovery at-tacks on encryption modes with a stronger impact than distinguishers Thewell-known collision attack against CBC has been shown to be usable in prac-tice with 64-bit block ciphers [4] and message-recovery attacks have also beenshown against the CTR mode [20] even though the well-known distinguisher ismuch weaker
All these results clearly show the importance of cryptanalysis work againstmodes of operation even when the attacks do not contradict the proofs Inaddition this type of work sometimes detects mistakes in the proofs as shownwith GCM [16] and OCB2 [15]
13 Organization
The remainder of this paper is organized as follows Section 2 gives the prelimi-naries Section 3 briefly describes the generic construction and its instantiationGCM-RUP We recover the authentication key in Section 4 and a universalforgery is provided in Section 5 Section 6 recommends a minor modification toGCM-RUP to resist our forgery attack Finally Section 7 concludes this paper
2 Preliminaries
This section will show notations operations some cryptographic schemes andsecurity definitions used in this paper
21 Notations and Operations
ndash n The block size of the block cipher (for GCM-RUP n = 128)ndash 0 1lex The set of strings with length no greater than x bitsndash 0 1lowast The set of strings with arbitrary lengthndash |X| Length of X if X isin 0 1lowastndash X oplus Y Bit-wise exclusive OR of X and Y if XY isin 0 1lowastndash X middot Y Galois field multiplication of X and Y if XY isin 0 1nndash XY or XY Concatenation of X and Y if XY isin 0 1lowastndash ε The empty stringndash 0n n-bit string consisting of only zerosndash lenn(X) Length of X modulo 2n as an n-bit stringndash X0lowastn X padded on the right with 0-bits to get a string of length a multiple
of nndash |X|n Xrsquos length in n-bit blocks |X|n = d|X|nendash X[1]X[2] X[x]
nlarrminus X Split X into substrings such that |X[i]| = n fori = 1 xminus 1 0 lt |X[x]| le n and X[1] X[x] = X
4
ndash int(Y ) Map the j bits string Y = ajminus1 a1a0 to the integer i = ajminus12jminus1+middot middot middot+ a12 + a0
ndash strj(i) Map the integer i = ajminus12jminus1 + middot middot middot+a12+a0 lt 2j to the j-bit stringajminus1 a1a0
ndash incm(X) The function which adds one modulo 2m to X when viewed as aninteger incm(X) = strm(int(X) + 1 mod 2m)
ndash msbj(X) j most significant bits of X msbj(aiminus1 a1a0) = aiminus1 aaminusj ndash lsbj(X) j least significant bits of X lsbj(aiminus1 a1a0) = ajminus1 a0ndash F larr E(Cmiddot) Define F (X) = E(CX) where C is fixed as constant
ndash a= b Evaluate to gt if a equals b and perp otherwise
22 AE Separated AE and TBC
An authenticated encryption scheme is a symmetric key algorithm that providesboth confidentiality and authenticity Bellare and Namprempre [3] defined theformal notion of authenticated encryption as follows
Definition 1 (AE [3]) An AE scheme consists of a pair of functions theencryption function Enc and the decryption function Dec
Enc K timesN timesAtimesMrarr CDec K timesN timesAtimes C rarrMcup perp
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space and perp an error symbol not contained inM which represents verification failure It must be the case that for all K isin KN isin N A isin A and M isinM
DecNK(AEncNK(AM)) = M
The decryption process typically has two phases plaintext computation andverification the plaintext obtained from decryption is only given out after suc-cessful verification However keeping the full plaintext in memory can be an issuefor constrained devices and side-channel attacks can potentially recover infor-mation about the plaintext while it is decrypted Therefore new models havebeen introduced to take into account the effect of releasing unverified plaintextIn particular Andreeva et al [1] defined separated AE schemes where the plain-text computation is disconnected from verification in this model the decryptionfunction always releases the plaintext without verifying it Formally a separatedAE scheme is defined as
Definition 2 (separated AE [1]) A separated AE scheme consists of a tripletof functions the encryption function SEnc the decryption function SDec andthe verification function SVer where
SEnc K timesN timesAtimesMrarr CSDec K timesN timesAtimes C rarrM
SVer K timesN timesAtimes C rarr gtperp
5
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space The special symbols gt and perp indicate thesuccess and failure of the verification respectively It must be the case that forall K isin K N isin N A isin A and M isinM
SDecNK(ASEncNK(AM)) = M and SVerNK(ASEncNK(AM)) = gt
Finally we need to introduce the notion of tweakable block cipher (TBC)which is used in GCM-RUP A tweakable block cipher is a generalization of ablock cipher with an additional tweak input generating a family of independentblock ciphers [21]
Definition 3 (TBC [21]) A TBC could be regarded as a pair of functions(ED) with
E K times T times X rarr X D K times T times X rarr X
where K is the key space T is the tweak space and X is the domain For allK isin K T isin T and X isin X ETK is a permutation of X with DTK as inverse and
DTK(ETK(X)) = X
3 Brief Description of GCM-RUP [2]
Ashur Dunkelman and Luykx proposed a generic construction of an efficientseparated AE scheme at CRYPTOrsquo17 [2] Their construction uses an encryptionscheme and a TBC and achieves security in the RUP setting assuming that theencryption scheme is strongly indistinguishable-from-random-bits (SRND) [1332] and the TBC is a strong pseudorandom permutation (SPRP) [32] Basedon the generic construction a dedicated instantiation GCM-RUP is built usingAES-GCMrsquos primitives This section will describe this construction and GCM-RUP
31 Generic Construction with RUP Security [2]
Let (EncDec) be an encryption scheme (without authentication) with K the keyspace N the nonce spaceM the message space and C the ciphertext space Let(ED) denote a TBC with key space L tweak space T = C and domain X = N Then define the separated AE scheme (SEncSDecSVer) as follows
SEncNKL(AM) =(S = EACL (N) C = EncNK(αM)
)
SDecKL(ASC) = lsb|C|minusτ (DecDAC
L (S)K (C))
SVerKL(ASC) = msbτ (DecDAC
L (S)K (C))
= α
6
where (KL) isin KtimesL is the key N is the nonce space A is the associated dataspaceM is the message space N timesC is the ciphertext space and α isin 0 1τ issome pre-defined constant The construction is depicted in Fig 1 The proceduresof encryption decryption and verification are illustrated in Fig 1 (a) (b) and(c) respectively
The novelty of the generic construction is that the nonce is encrypted usingthe ciphertext as a tweak This provides security in the RUP setting becauseif an attacker modifies the ciphertext or the encrypted nonce the decryptionoracle will output a random plaintext The authentication security comes fromthe redundancy in the plaintext with the pre-defined constant α (known byboth sides) the length of α determines the security level In order to maintainsecurity up to the birthday bound on the block size the size of α and the noncesize are fixed to be the same as the block size n
32 GCM-RUP [2]
GCM-RUP is an instantiation of the generic construction using the counter mode(CTR) for encryption and the XTX construction [24] with GHASH for the tweak-able block cipher It reuses the component of GCM in order to benefit from theefficient implementations available while offering more robustness with securityin the RUP setting Before describing GCM-RUP itself we first define the prim-itives borrowed from GCM Let n denote the block length of the available blockcipher in this case n = 128
The first one is the universal hash function GHASH which takes a key H andtwo strings M and M prime as input (in GCM GHASH is used in the Wegman-Carterconstruction to build a MAC [34]) The core of GHASH is defined with a singlestring M constituted of full blocks and evaluates a polynomial defined from Mat H as follows
GHASHcoreH(M) =
|M |nminus1oplusi=0
M [i] middotH |M |nminusi (1)
The symbol ldquomiddotrdquo represents multiplication in the Galois field GF (2n) All thecomputations are performed by the rule of operations defined in finite fieldGHASH is defined from GHASHcore it takes two strings M and M prime as inputzero-pads and concatenates them and adds the binary representation of thelengths of M and M prime before processing the result through GHASHcore
GHASHH(MM prime) = GHASHcoreH(M0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|))
where the function strj(i) maps the integer i = ajminus12jminus1 + middot middot middot+ a12 + a0 lt 2j
to the j-bit string ajminus1 a1a0 Algorithm 1 describes the procedure of thefunction
The second important auxiliary function is the CTR mode Given a countervalue X a positive integer m and a predefined keyed function F as input thisfunction CTR[F ](Xm) outputs a string S with m blocks Each block of S is
7
N M
S C
α
(a) Encryption
S C
EL
EncK
DL
DecK
M
lsb|C|-τ
(b) Decryption
S C
DL
DecK
msbτ
(c) Verification
α
A
A A
Fig 1 Generic Construction with RUP Security
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
EncK1
EK2K3
G
In
Out
Fig 2 GCM-RUP (Figure from [2])
8
Algorithm 1 GHASHH(MM prime)
Input H isin 0 1n M isin 0 1len(2n2minus1) M prime isin 0 1len(2
n2minus1)
Output Y isin 0 1n1 X larrM0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|)2 X[1]X[2] X[x]
nlarrminus X3 Y larr 0n
4 for 1 le j le x do5 Y larr H middot (Y oplusX[j])6 end for7 return Y
computed by S[i] = F (incix(X)) where incx represents counter incrementationadding one modulo 2x to X with the convention that incix represents i successiveimplementations The CTR mode is defined in Algorithm 2
Algorithm 2 CTR[F ](Xm)
Input F 0 1x rarr 0 1n X isin 0 1x m isin NOutput S isin 0 1mn1 I larr X2 for 1 le j le m do3 S[j]larr F (I)4 I larr incx(I)5 end for6 S larr S[1]S[2] S[m]7 return S
Finally GCM-RUP uses three keys K1 is used for the CTR encryption andK2 and K3 are used for the TBC following the XTX construction (K2 is usedfor GHASH and K3 is used for the underlying block cipher call) GCM-RUPencrypts a message M together with its associated data A and a nonce N intoa ciphertext C and an encrypted nonce S The associated data the message andthe ciphertext are all seen as sequences of blocks of length n GCM-RUP followsthe generic construction given above and is described in Fig 2 with pseudocodein Algorithm 3 (with ε an empty string) In the figure EncK1
corresponds toCTR mode encryption and EK2K3
to the TBC
As an instantiation of the generic construction with RUP security GCM-RUPis secure under RUP setting More precisely GCM-RUP can provide security upto the birthday bound on the block size (because this is the security of theunderlying AE scheme and TBC)
9
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
ndash int(Y ) Map the j bits string Y = ajminus1 a1a0 to the integer i = ajminus12jminus1+middot middot middot+ a12 + a0
ndash strj(i) Map the integer i = ajminus12jminus1 + middot middot middot+a12+a0 lt 2j to the j-bit stringajminus1 a1a0
ndash incm(X) The function which adds one modulo 2m to X when viewed as aninteger incm(X) = strm(int(X) + 1 mod 2m)
ndash msbj(X) j most significant bits of X msbj(aiminus1 a1a0) = aiminus1 aaminusj ndash lsbj(X) j least significant bits of X lsbj(aiminus1 a1a0) = ajminus1 a0ndash F larr E(Cmiddot) Define F (X) = E(CX) where C is fixed as constant
ndash a= b Evaluate to gt if a equals b and perp otherwise
22 AE Separated AE and TBC
An authenticated encryption scheme is a symmetric key algorithm that providesboth confidentiality and authenticity Bellare and Namprempre [3] defined theformal notion of authenticated encryption as follows
Definition 1 (AE [3]) An AE scheme consists of a pair of functions theencryption function Enc and the decryption function Dec
Enc K timesN timesAtimesMrarr CDec K timesN timesAtimes C rarrMcup perp
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space and perp an error symbol not contained inM which represents verification failure It must be the case that for all K isin KN isin N A isin A and M isinM
DecNK(AEncNK(AM)) = M
The decryption process typically has two phases plaintext computation andverification the plaintext obtained from decryption is only given out after suc-cessful verification However keeping the full plaintext in memory can be an issuefor constrained devices and side-channel attacks can potentially recover infor-mation about the plaintext while it is decrypted Therefore new models havebeen introduced to take into account the effect of releasing unverified plaintextIn particular Andreeva et al [1] defined separated AE schemes where the plain-text computation is disconnected from verification in this model the decryptionfunction always releases the plaintext without verifying it Formally a separatedAE scheme is defined as
Definition 2 (separated AE [1]) A separated AE scheme consists of a tripletof functions the encryption function SEnc the decryption function SDec andthe verification function SVer where
SEnc K timesN timesAtimesMrarr CSDec K timesN timesAtimes C rarrM
SVer K timesN timesAtimes C rarr gtperp
5
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space The special symbols gt and perp indicate thesuccess and failure of the verification respectively It must be the case that forall K isin K N isin N A isin A and M isinM
SDecNK(ASEncNK(AM)) = M and SVerNK(ASEncNK(AM)) = gt
Finally we need to introduce the notion of tweakable block cipher (TBC)which is used in GCM-RUP A tweakable block cipher is a generalization of ablock cipher with an additional tweak input generating a family of independentblock ciphers [21]
Definition 3 (TBC [21]) A TBC could be regarded as a pair of functions(ED) with
E K times T times X rarr X D K times T times X rarr X
where K is the key space T is the tweak space and X is the domain For allK isin K T isin T and X isin X ETK is a permutation of X with DTK as inverse and
DTK(ETK(X)) = X
3 Brief Description of GCM-RUP [2]
Ashur Dunkelman and Luykx proposed a generic construction of an efficientseparated AE scheme at CRYPTOrsquo17 [2] Their construction uses an encryptionscheme and a TBC and achieves security in the RUP setting assuming that theencryption scheme is strongly indistinguishable-from-random-bits (SRND) [1332] and the TBC is a strong pseudorandom permutation (SPRP) [32] Basedon the generic construction a dedicated instantiation GCM-RUP is built usingAES-GCMrsquos primitives This section will describe this construction and GCM-RUP
31 Generic Construction with RUP Security [2]
Let (EncDec) be an encryption scheme (without authentication) with K the keyspace N the nonce spaceM the message space and C the ciphertext space Let(ED) denote a TBC with key space L tweak space T = C and domain X = N Then define the separated AE scheme (SEncSDecSVer) as follows
SEncNKL(AM) =(S = EACL (N) C = EncNK(αM)
)
SDecKL(ASC) = lsb|C|minusτ (DecDAC
L (S)K (C))
SVerKL(ASC) = msbτ (DecDAC
L (S)K (C))
= α
6
where (KL) isin KtimesL is the key N is the nonce space A is the associated dataspaceM is the message space N timesC is the ciphertext space and α isin 0 1τ issome pre-defined constant The construction is depicted in Fig 1 The proceduresof encryption decryption and verification are illustrated in Fig 1 (a) (b) and(c) respectively
The novelty of the generic construction is that the nonce is encrypted usingthe ciphertext as a tweak This provides security in the RUP setting becauseif an attacker modifies the ciphertext or the encrypted nonce the decryptionoracle will output a random plaintext The authentication security comes fromthe redundancy in the plaintext with the pre-defined constant α (known byboth sides) the length of α determines the security level In order to maintainsecurity up to the birthday bound on the block size the size of α and the noncesize are fixed to be the same as the block size n
32 GCM-RUP [2]
GCM-RUP is an instantiation of the generic construction using the counter mode(CTR) for encryption and the XTX construction [24] with GHASH for the tweak-able block cipher It reuses the component of GCM in order to benefit from theefficient implementations available while offering more robustness with securityin the RUP setting Before describing GCM-RUP itself we first define the prim-itives borrowed from GCM Let n denote the block length of the available blockcipher in this case n = 128
The first one is the universal hash function GHASH which takes a key H andtwo strings M and M prime as input (in GCM GHASH is used in the Wegman-Carterconstruction to build a MAC [34]) The core of GHASH is defined with a singlestring M constituted of full blocks and evaluates a polynomial defined from Mat H as follows
GHASHcoreH(M) =
|M |nminus1oplusi=0
M [i] middotH |M |nminusi (1)
The symbol ldquomiddotrdquo represents multiplication in the Galois field GF (2n) All thecomputations are performed by the rule of operations defined in finite fieldGHASH is defined from GHASHcore it takes two strings M and M prime as inputzero-pads and concatenates them and adds the binary representation of thelengths of M and M prime before processing the result through GHASHcore
GHASHH(MM prime) = GHASHcoreH(M0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|))
where the function strj(i) maps the integer i = ajminus12jminus1 + middot middot middot+ a12 + a0 lt 2j
to the j-bit string ajminus1 a1a0 Algorithm 1 describes the procedure of thefunction
The second important auxiliary function is the CTR mode Given a countervalue X a positive integer m and a predefined keyed function F as input thisfunction CTR[F ](Xm) outputs a string S with m blocks Each block of S is
7
N M
S C
α
(a) Encryption
S C
EL
EncK
DL
DecK
M
lsb|C|-τ
(b) Decryption
S C
DL
DecK
msbτ
(c) Verification
α
A
A A
Fig 1 Generic Construction with RUP Security
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
EncK1
EK2K3
G
In
Out
Fig 2 GCM-RUP (Figure from [2])
8
Algorithm 1 GHASHH(MM prime)
Input H isin 0 1n M isin 0 1len(2n2minus1) M prime isin 0 1len(2
n2minus1)
Output Y isin 0 1n1 X larrM0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|)2 X[1]X[2] X[x]
nlarrminus X3 Y larr 0n
4 for 1 le j le x do5 Y larr H middot (Y oplusX[j])6 end for7 return Y
computed by S[i] = F (incix(X)) where incx represents counter incrementationadding one modulo 2x to X with the convention that incix represents i successiveimplementations The CTR mode is defined in Algorithm 2
Algorithm 2 CTR[F ](Xm)
Input F 0 1x rarr 0 1n X isin 0 1x m isin NOutput S isin 0 1mn1 I larr X2 for 1 le j le m do3 S[j]larr F (I)4 I larr incx(I)5 end for6 S larr S[1]S[2] S[m]7 return S
Finally GCM-RUP uses three keys K1 is used for the CTR encryption andK2 and K3 are used for the TBC following the XTX construction (K2 is usedfor GHASH and K3 is used for the underlying block cipher call) GCM-RUPencrypts a message M together with its associated data A and a nonce N intoa ciphertext C and an encrypted nonce S The associated data the message andthe ciphertext are all seen as sequences of blocks of length n GCM-RUP followsthe generic construction given above and is described in Fig 2 with pseudocodein Algorithm 3 (with ε an empty string) In the figure EncK1
corresponds toCTR mode encryption and EK2K3
to the TBC
As an instantiation of the generic construction with RUP security GCM-RUPis secure under RUP setting More precisely GCM-RUP can provide security upto the birthday bound on the block size (because this is the security of theunderlying AE scheme and TBC)
9
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
with K the key space N the nonce space A the associated data space M themessage space C the ciphertext space The special symbols gt and perp indicate thesuccess and failure of the verification respectively It must be the case that forall K isin K N isin N A isin A and M isinM
SDecNK(ASEncNK(AM)) = M and SVerNK(ASEncNK(AM)) = gt
Finally we need to introduce the notion of tweakable block cipher (TBC)which is used in GCM-RUP A tweakable block cipher is a generalization of ablock cipher with an additional tweak input generating a family of independentblock ciphers [21]
Definition 3 (TBC [21]) A TBC could be regarded as a pair of functions(ED) with
E K times T times X rarr X D K times T times X rarr X
where K is the key space T is the tweak space and X is the domain For allK isin K T isin T and X isin X ETK is a permutation of X with DTK as inverse and
DTK(ETK(X)) = X
3 Brief Description of GCM-RUP [2]
Ashur Dunkelman and Luykx proposed a generic construction of an efficientseparated AE scheme at CRYPTOrsquo17 [2] Their construction uses an encryptionscheme and a TBC and achieves security in the RUP setting assuming that theencryption scheme is strongly indistinguishable-from-random-bits (SRND) [1332] and the TBC is a strong pseudorandom permutation (SPRP) [32] Basedon the generic construction a dedicated instantiation GCM-RUP is built usingAES-GCMrsquos primitives This section will describe this construction and GCM-RUP
31 Generic Construction with RUP Security [2]
Let (EncDec) be an encryption scheme (without authentication) with K the keyspace N the nonce spaceM the message space and C the ciphertext space Let(ED) denote a TBC with key space L tweak space T = C and domain X = N Then define the separated AE scheme (SEncSDecSVer) as follows
SEncNKL(AM) =(S = EACL (N) C = EncNK(αM)
)
SDecKL(ASC) = lsb|C|minusτ (DecDAC
L (S)K (C))
SVerKL(ASC) = msbτ (DecDAC
L (S)K (C))
= α
6
where (KL) isin KtimesL is the key N is the nonce space A is the associated dataspaceM is the message space N timesC is the ciphertext space and α isin 0 1τ issome pre-defined constant The construction is depicted in Fig 1 The proceduresof encryption decryption and verification are illustrated in Fig 1 (a) (b) and(c) respectively
The novelty of the generic construction is that the nonce is encrypted usingthe ciphertext as a tweak This provides security in the RUP setting becauseif an attacker modifies the ciphertext or the encrypted nonce the decryptionoracle will output a random plaintext The authentication security comes fromthe redundancy in the plaintext with the pre-defined constant α (known byboth sides) the length of α determines the security level In order to maintainsecurity up to the birthday bound on the block size the size of α and the noncesize are fixed to be the same as the block size n
32 GCM-RUP [2]
GCM-RUP is an instantiation of the generic construction using the counter mode(CTR) for encryption and the XTX construction [24] with GHASH for the tweak-able block cipher It reuses the component of GCM in order to benefit from theefficient implementations available while offering more robustness with securityin the RUP setting Before describing GCM-RUP itself we first define the prim-itives borrowed from GCM Let n denote the block length of the available blockcipher in this case n = 128
The first one is the universal hash function GHASH which takes a key H andtwo strings M and M prime as input (in GCM GHASH is used in the Wegman-Carterconstruction to build a MAC [34]) The core of GHASH is defined with a singlestring M constituted of full blocks and evaluates a polynomial defined from Mat H as follows
GHASHcoreH(M) =
|M |nminus1oplusi=0
M [i] middotH |M |nminusi (1)
The symbol ldquomiddotrdquo represents multiplication in the Galois field GF (2n) All thecomputations are performed by the rule of operations defined in finite fieldGHASH is defined from GHASHcore it takes two strings M and M prime as inputzero-pads and concatenates them and adds the binary representation of thelengths of M and M prime before processing the result through GHASHcore
GHASHH(MM prime) = GHASHcoreH(M0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|))
where the function strj(i) maps the integer i = ajminus12jminus1 + middot middot middot+ a12 + a0 lt 2j
to the j-bit string ajminus1 a1a0 Algorithm 1 describes the procedure of thefunction
The second important auxiliary function is the CTR mode Given a countervalue X a positive integer m and a predefined keyed function F as input thisfunction CTR[F ](Xm) outputs a string S with m blocks Each block of S is
7
N M
S C
α
(a) Encryption
S C
EL
EncK
DL
DecK
M
lsb|C|-τ
(b) Decryption
S C
DL
DecK
msbτ
(c) Verification
α
A
A A
Fig 1 Generic Construction with RUP Security
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
EncK1
EK2K3
G
In
Out
Fig 2 GCM-RUP (Figure from [2])
8
Algorithm 1 GHASHH(MM prime)
Input H isin 0 1n M isin 0 1len(2n2minus1) M prime isin 0 1len(2
n2minus1)
Output Y isin 0 1n1 X larrM0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|)2 X[1]X[2] X[x]
nlarrminus X3 Y larr 0n
4 for 1 le j le x do5 Y larr H middot (Y oplusX[j])6 end for7 return Y
computed by S[i] = F (incix(X)) where incx represents counter incrementationadding one modulo 2x to X with the convention that incix represents i successiveimplementations The CTR mode is defined in Algorithm 2
Algorithm 2 CTR[F ](Xm)
Input F 0 1x rarr 0 1n X isin 0 1x m isin NOutput S isin 0 1mn1 I larr X2 for 1 le j le m do3 S[j]larr F (I)4 I larr incx(I)5 end for6 S larr S[1]S[2] S[m]7 return S
Finally GCM-RUP uses three keys K1 is used for the CTR encryption andK2 and K3 are used for the TBC following the XTX construction (K2 is usedfor GHASH and K3 is used for the underlying block cipher call) GCM-RUPencrypts a message M together with its associated data A and a nonce N intoa ciphertext C and an encrypted nonce S The associated data the message andthe ciphertext are all seen as sequences of blocks of length n GCM-RUP followsthe generic construction given above and is described in Fig 2 with pseudocodein Algorithm 3 (with ε an empty string) In the figure EncK1
corresponds toCTR mode encryption and EK2K3
to the TBC
As an instantiation of the generic construction with RUP security GCM-RUPis secure under RUP setting More precisely GCM-RUP can provide security upto the birthday bound on the block size (because this is the security of theunderlying AE scheme and TBC)
9
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
where (KL) isin KtimesL is the key N is the nonce space A is the associated dataspaceM is the message space N timesC is the ciphertext space and α isin 0 1τ issome pre-defined constant The construction is depicted in Fig 1 The proceduresof encryption decryption and verification are illustrated in Fig 1 (a) (b) and(c) respectively
The novelty of the generic construction is that the nonce is encrypted usingthe ciphertext as a tweak This provides security in the RUP setting becauseif an attacker modifies the ciphertext or the encrypted nonce the decryptionoracle will output a random plaintext The authentication security comes fromthe redundancy in the plaintext with the pre-defined constant α (known byboth sides) the length of α determines the security level In order to maintainsecurity up to the birthday bound on the block size the size of α and the noncesize are fixed to be the same as the block size n
32 GCM-RUP [2]
GCM-RUP is an instantiation of the generic construction using the counter mode(CTR) for encryption and the XTX construction [24] with GHASH for the tweak-able block cipher It reuses the component of GCM in order to benefit from theefficient implementations available while offering more robustness with securityin the RUP setting Before describing GCM-RUP itself we first define the prim-itives borrowed from GCM Let n denote the block length of the available blockcipher in this case n = 128
The first one is the universal hash function GHASH which takes a key H andtwo strings M and M prime as input (in GCM GHASH is used in the Wegman-Carterconstruction to build a MAC [34]) The core of GHASH is defined with a singlestring M constituted of full blocks and evaluates a polynomial defined from Mat H as follows
GHASHcoreH(M) =
|M |nminus1oplusi=0
M [i] middotH |M |nminusi (1)
The symbol ldquomiddotrdquo represents multiplication in the Galois field GF (2n) All thecomputations are performed by the rule of operations defined in finite fieldGHASH is defined from GHASHcore it takes two strings M and M prime as inputzero-pads and concatenates them and adds the binary representation of thelengths of M and M prime before processing the result through GHASHcore
GHASHH(MM prime) = GHASHcoreH(M0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|))
where the function strj(i) maps the integer i = ajminus12jminus1 + middot middot middot+ a12 + a0 lt 2j
to the j-bit string ajminus1 a1a0 Algorithm 1 describes the procedure of thefunction
The second important auxiliary function is the CTR mode Given a countervalue X a positive integer m and a predefined keyed function F as input thisfunction CTR[F ](Xm) outputs a string S with m blocks Each block of S is
7
N M
S C
α
(a) Encryption
S C
EL
EncK
DL
DecK
M
lsb|C|-τ
(b) Decryption
S C
DL
DecK
msbτ
(c) Verification
α
A
A A
Fig 1 Generic Construction with RUP Security
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
EncK1
EK2K3
G
In
Out
Fig 2 GCM-RUP (Figure from [2])
8
Algorithm 1 GHASHH(MM prime)
Input H isin 0 1n M isin 0 1len(2n2minus1) M prime isin 0 1len(2
n2minus1)
Output Y isin 0 1n1 X larrM0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|)2 X[1]X[2] X[x]
nlarrminus X3 Y larr 0n
4 for 1 le j le x do5 Y larr H middot (Y oplusX[j])6 end for7 return Y
computed by S[i] = F (incix(X)) where incx represents counter incrementationadding one modulo 2x to X with the convention that incix represents i successiveimplementations The CTR mode is defined in Algorithm 2
Algorithm 2 CTR[F ](Xm)
Input F 0 1x rarr 0 1n X isin 0 1x m isin NOutput S isin 0 1mn1 I larr X2 for 1 le j le m do3 S[j]larr F (I)4 I larr incx(I)5 end for6 S larr S[1]S[2] S[m]7 return S
Finally GCM-RUP uses three keys K1 is used for the CTR encryption andK2 and K3 are used for the TBC following the XTX construction (K2 is usedfor GHASH and K3 is used for the underlying block cipher call) GCM-RUPencrypts a message M together with its associated data A and a nonce N intoa ciphertext C and an encrypted nonce S The associated data the message andthe ciphertext are all seen as sequences of blocks of length n GCM-RUP followsthe generic construction given above and is described in Fig 2 with pseudocodein Algorithm 3 (with ε an empty string) In the figure EncK1
corresponds toCTR mode encryption and EK2K3
to the TBC
As an instantiation of the generic construction with RUP security GCM-RUPis secure under RUP setting More precisely GCM-RUP can provide security upto the birthday bound on the block size (because this is the security of theunderlying AE scheme and TBC)
9
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
N M
S C
α
(a) Encryption
S C
EL
EncK
DL
DecK
M
lsb|C|-τ
(b) Decryption
S C
DL
DecK
msbτ
(c) Verification
α
A
A A
Fig 1 Generic Construction with RUP Security
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
EncK1
EK2K3
G
In
Out
Fig 2 GCM-RUP (Figure from [2])
8
Algorithm 1 GHASHH(MM prime)
Input H isin 0 1n M isin 0 1len(2n2minus1) M prime isin 0 1len(2
n2minus1)
Output Y isin 0 1n1 X larrM0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|)2 X[1]X[2] X[x]
nlarrminus X3 Y larr 0n
4 for 1 le j le x do5 Y larr H middot (Y oplusX[j])6 end for7 return Y
computed by S[i] = F (incix(X)) where incx represents counter incrementationadding one modulo 2x to X with the convention that incix represents i successiveimplementations The CTR mode is defined in Algorithm 2
Algorithm 2 CTR[F ](Xm)
Input F 0 1x rarr 0 1n X isin 0 1x m isin NOutput S isin 0 1mn1 I larr X2 for 1 le j le m do3 S[j]larr F (I)4 I larr incx(I)5 end for6 S larr S[1]S[2] S[m]7 return S
Finally GCM-RUP uses three keys K1 is used for the CTR encryption andK2 and K3 are used for the TBC following the XTX construction (K2 is usedfor GHASH and K3 is used for the underlying block cipher call) GCM-RUPencrypts a message M together with its associated data A and a nonce N intoa ciphertext C and an encrypted nonce S The associated data the message andthe ciphertext are all seen as sequences of blocks of length n GCM-RUP followsthe generic construction given above and is described in Fig 2 with pseudocodein Algorithm 3 (with ε an empty string) In the figure EncK1
corresponds toCTR mode encryption and EK2K3
to the TBC
As an instantiation of the generic construction with RUP security GCM-RUPis secure under RUP setting More precisely GCM-RUP can provide security upto the birthday bound on the block size (because this is the security of theunderlying AE scheme and TBC)
9
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
Algorithm 1 GHASHH(MM prime)
Input H isin 0 1n M isin 0 1len(2n2minus1) M prime isin 0 1len(2
n2minus1)
Output Y isin 0 1n1 X larrM0lowastnM prime0lowastnstrn2(|M |)strn2(|M prime|)2 X[1]X[2] X[x]
nlarrminus X3 Y larr 0n
4 for 1 le j le x do5 Y larr H middot (Y oplusX[j])6 end for7 return Y
computed by S[i] = F (incix(X)) where incx represents counter incrementationadding one modulo 2x to X with the convention that incix represents i successiveimplementations The CTR mode is defined in Algorithm 2
Algorithm 2 CTR[F ](Xm)
Input F 0 1x rarr 0 1n X isin 0 1x m isin NOutput S isin 0 1mn1 I larr X2 for 1 le j le m do3 S[j]larr F (I)4 I larr incx(I)5 end for6 S larr S[1]S[2] S[m]7 return S
Finally GCM-RUP uses three keys K1 is used for the CTR encryption andK2 and K3 are used for the TBC following the XTX construction (K2 is usedfor GHASH and K3 is used for the underlying block cipher call) GCM-RUPencrypts a message M together with its associated data A and a nonce N intoa ciphertext C and an encrypted nonce S The associated data the message andthe ciphertext are all seen as sequences of blocks of length n GCM-RUP followsthe generic construction given above and is described in Fig 2 with pseudocodein Algorithm 3 (with ε an empty string) In the figure EncK1
corresponds toCTR mode encryption and EK2K3
to the TBC
As an instantiation of the generic construction with RUP security GCM-RUPis secure under RUP setting More precisely GCM-RUP can provide security upto the birthday bound on the block size (because this is the security of theunderlying AE scheme and TBC)
9
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
Algorithm 3 GCM-RUPK1K2K3(NAM)
Input K1K2K3 isin 0 13n A isin 0 1n232
M isin 0 1n232
Output (SC) isin 0 1n times 0 1τ+|M|1 M larr 0τM2 Llarr EK1(0n)3 I larr GHASHL(εN)4 mlarr |M |n5 F larr EK1(msb96(I)middot)6 S larr CTR[F ](inc32(lsb32(I))m)7 C larrM oplusmsb|M|(S)8 Glarr GHASHK2(AC)9 S larr EK3(N oplusG)oplusG
10 return (SC)
4 Partial Authentication Key Recovery for GCM-RUP
Our analysis focuses on the GHASHK2function which can be written as a poly-
nomial in K2 In this section we analyze properties of GHASHK2 which are thenused to recover K2 After recovering K2 it is possible to perform a forgery attackfor GCM-RUP
The main property used in our attacks is that G the output of GHASHK2as
defined in Fig 2 is linearly dependent on the input (AC) for fixed K2 There-fore the output difference ∆G of values G emerging in encryption operationsof two input tuples (N1 AM) and (N2 AM) is independent of the value of(AM) and is only a function of N1 and N2
Based on this property we retrieve K2 with the following two steps
ndash For a fixed associated data and message we search for a pair of nonces(N1 N2) which produce a collision for the input of EK3
using a birthdayattack For such pair of nonces (N1 N2) ∆G = N1 oplusN2 = S1 oplus S2
ndash With a known∆G a polynomial equation inK2 is derived from the GHASHK2
definition Then K2 can be retrieved by solving this equation
In this section we will give the detailed description of the recovery of K2
41 Properties of GHASH
Let Π = (SEncSDecSVer) denote the scheme GCM-RUP We focus on thecomponent GHASHK2
with inputs the associated data A and the ciphertext CIn order to clearly describe the attack we rewrite GHASHK2
as
G = GHASHK2(AC) = GHASHcoreK2(ACstrn2(|A|)strn2(|C|))
According to the definition of GHASHcore given by Equation (1) G is linear inthe GHASHcore input (ACstrn2(|A|)strn2(|C|)) for a fixed K2 Thereforewe consider the difference ∆G in the output of GHASHK2
for a pair of inputs
10
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
Property 1 When processing a fixed associated data A and message M un-der two distinct nonces (N1 N2) with GCM-RUP the output difference ∆G ofGHASHK2 is only dependent on N1 and N2 but independent on A and M Thisalso holds for the input difference of EK3
Proof For two tuples (N1 AM) and (N2 AM) query SEnc and get
(S1 C1)larr GCM-RUP(N1 AM)
(S2 C2)larr GCM-RUP(N2 AM)
Let G1 and G2 represent the corresponding outputs of the function GHASHK2
in the encryptions under nonces N1 and N2 respectively
G1 = GHASHK2(AC1)
G2 = GHASHK2(AC2)
where
C1 = (0τM)oplus EncK1(N1)
C2 = (0τM)oplus EncK1(N2)
the function EncK1is defined in the upper dotted box in Fig 2 Hence
∆G = G1 oplusG2
= GHASHK2(AC1)oplus GHASHK2
(AC2)(2)
From the definition of GHASH we have
∆G = GHASHcoreK2
(AoplusAC1 oplus C2
(strn2(|A|)strn2(|C1|))oplus (strn2(|A|)strn2(|C2|)))
= GHASHcoreK2(0|A|∆C0n)
= GHASHcoreK2(0|A|EncK1
(N1)oplus EncK1(N2)0n)
(3)
which shows that the output difference of the function GHASHK2depend only
on N1 and N2 for two tuples (N1 AM) and (N2 AM) The input differenceof EK3
can be computed as
∆In = N1 oplusN2 oplus∆G= N1 oplusN2 oplus GHASHcoreK2(0|A|∆C0n)
(4)
so it is also independent of A and M 2
In particular if we can recover a value ∆G we can then extract K2 bysolving a polynomial equation given the ciphertext difference∆C and the outputdifference ∆G
∆G = GHASHcoreK2(0|A|∆C0n)
11
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
For simplicity we assume that |M | = n and τ = n this implies |C1| = |C2| = 2n
∆G = ∆C[0] middotK32 oplus∆C[1] middotK2
2
This a polynomial equation in K2 in the Galois field with 2128 elements Luckilythere are efficient algorithm to factor polynomials over finite fields For instancethe Cantor-Zassenhaus algorithm [5] requires O(n2(log(r) log(q) + n)) field op-erations to factor a degree-n polynomial with r irreducible factors over a fieldwith q elements In practice with the parameters used here this takes negligibletime using the implementation of SageMath [40]
42 Recovering K2 from Inner Collisions
As explained earlier the first step of the attack is to identify collisions in theinput of EK3 defined as In = N oplus G Following the analysis above we startwith a fixed associated data A and message M and query SEnc for q differentnonces to receive the corresponding encrypted nonces S and ciphertexts C
In order to simplify the description we focus on the value In and we considerthe function mapping NAM to In denoted as PEnc and represented by Fig 3The output values of PEnc can not be accessed by the attacker but collisions inPEnc can be detected As for In and the output Out of EK3
In = N oplusGOut = S oplusG
When the collisions happen ∆In = ∆Out = 0 which means
N1 oplusN2 oplusG1 oplusG2 = 0
S1 oplus S2 oplusG1 oplusG2 = 0
Thus N1 oplus N2 = S1 oplus S2 = ∆G If the collisions ∆N = ∆S can be detectedthe collisions in PEnc can be detected Meanwhile this type of collisions give outthe value of ∆G which can be used to recover K2 Moreover the correspondingpairs can be identified efficiently We just build a list of all nonces indexed byNi oplus Si sort the list and look for collisions each collision corresponds to a pairwith N1 oplus S1 = N2 oplus S2 ie N1 oplusN2 = S1 oplus S2 We now consider the converseand evaluate the probability of a collision in PEnc when N1 oplusN2 = S1 oplus S2
We formally define the two events as X and Y
ndash X (N1 oplusN2 = S1 oplus S2) the event identifying pairs of nonces (N1 N2) withthe input difference equal to the output difference of EK3
which is calledouter collision (equivalently it can be defined as ∆In = ∆Out)
ndash Y (∆In = 0) the event identifying pairs of nonces with collision in PEncie zero input difference for EK3
which is called inner collision
First we observe that Y sube X because if ∆In = 0 then ∆Out = 0 andN1 oplusN2 = S1 oplus S2 = ∆G Therefore we have
Pr[Y |X] =Pr[Y ]
Pr[X]
12
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GHA
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
G
In
PEnc
N A M
In
Fig 3 Representation of the Function PEnc
Moreover we have Pr[Y ] = 2minusn because the output of PEnc with a freshnonce is random assuming that E is a PRF In order to compute Pr[X] weconsider two cases depending on event Y
1 ∆In = 0 Then we have necessarily ∆Out = 0 ie Pr[X|∆In = 0] = 12 ∆In 6= 0 A pair with non-zero input difference must produce a non-zero
output difference Assuming that E is a PRF we have Pr[X|∆In 6= 0] =1
2nminus1
Therefore
Pr(X) =Pr[∆In = ∆Out]
=Pr[∆In = ∆Out|∆In = 0]times Pr[∆In = 0]+
Pr[∆In = ∆Out|∆In 6= 0]times Pr[∆In 6= 0]
=1times 1
2n+
1
2n minus 1times 2n minus 1
2n
=1
2nminus1
(5)
Finally we can conclude
Pr[∆In = 0|N1 oplusN2 = S1 oplus S2] =2minusn
2minusn+1=
1
2 (6)
Attack Procedure We can now give the detailed procedure to recover K2
1 Choose an arbitrary associated data A and a single-block message M thenquery SEnc for q different nonces N and receive the corresponding encrypted
13
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
nonces S and ciphertexts C save them in a table indexed by N oplus S Witha suitable value of q (in the order of 2n2) there are two pairs of nonces(N1 N2) satisfying N1 oplusN2 = S1 oplus S2 one of which is expected to furthersatisfy ∆In = 0
2 For each pair with N1 oplus N2 = S1 oplus S2 assuming that ∆In = 0 we have∆G = ∆S and we obtain a cubic polynomial equation with unknown variableK2 which can be solved with factoring tools
∆S = GHASHcoreK2(0|A|∆C0n) = ∆C[0] middotK32 oplus∆C[1] middotK2
2
3 Identify the correct candidate for K2 with forgery attempts
Using two pairs of nonces this attack suggests a small set of six key candi-dates The correct key can be identified with forgery attempts or by using morepairs and looking for a repeated key candidate
More precisely we will describe how to construct a forgery with known can-didate of K2 for GCM-RUP in Section 5 for a given message which can be usedto filter the correct K2 There would be two cases
ndash If the forgery is constructed under the correct candidate for K2 it can passthe verification algorithm of GCM-RUP
ndash If the forgery is constructed under the wrong candidate for K2 it will receivea failure of the verification of GCM-RUP
We only need to query the verification oracle SVer six times to identify thecorrect K2 The cost for this step is negligible
Complexity Estimation As already mentioned the probability of two ran-dom nonces N1 and N2 satisfying ∆In = 0 is 2minus128 Starting from a set of qqueries we can evaluate the probability p of finding an inner collision followingthe analysis of the birthday paradox
p 1minus eminusq2(2times2128)
Thus
q radic
2times 2128 ln1
1minus p
Table 1 shows number of nonces needed to achieve the given probability ofsuccess
43 Experimental Verification with Mini-GCM-RUP
In order to verify our attack theory we use a mini version of GCM-RUP con-structed with the 16-bit block cipher 4-round Mini-AES [28] to experimentallyrecover K2 This experiment identifies pairs of nonces in event X and Y from29 random nonces and recover K2 with SageMath We execute this experimentseveral times to give some results to show the validity of probabilities of eventX and Y in our paper the detail is listed in Table 2
In this table we see that probabilities of event X and Y conform to Equation(5) and (6) respectively The complexity of this experiment is dominated by 29
14
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
Table 1 Number of Nonces Needed to Achieve the Given Success Probability
Number of nonces to identify inner collision Probability of finding inner collision
263 11264 39265 86266 999
Table 2 Experimental Verification with Mini-GCM-RUP
(K1K2K3) Pair of nonces in X ∆In Pr(X) Pr(Y |X)
(0x3d0e0x2afc0x2e91)(0x27040x0889) 0 1
281
(0x76490x7b0d) 0
(0x4ef30x454b0x1e9a)
(0x23230x602d) 0
729
37
(0x11b70x2b2e) 0x0af7(0x7bab0x3a72) 0(0x12150x1e05) 0xa3b5(0x65930x093d) 0xbce8(0x09bd0x2db2) 0x03cf(0x7d350x5e97) 0
(0x53880x26410x7a4f)
(0x0ba90x46f5) 0x5393
328
12
(0x684d0x5786) 0(0x334c0x22e1) 0x0636(0x44870x13f0) 0(0x54130x03d8) 0(0x5a910x179f) 0x0c06
(0x56910x2ee90x5a68)(0x38740x7546) 0x3fcb 1
2812(0x44b00x4323) 0
15
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
5 Universal Forgery Attack of GCM-RUP
In this section we will construct forgeries for GCM-RUP given a candidate forK2 We consider a challenge message Mlowast (and possibly a challenge associateddata Alowast) and our goal is to construct a valid ciphertext for Mlowast
51 Almost Universal Forgery Attack
The first forgery attack makes only one query to the encryption oracle SEnc andthen constructs a forgery by solving an equation over GF (2128)
For an arbitrary nonce N associated data A and message M (with |M | =|Mlowast|) query (NAM) and receive the corresponding ciphertext (SC) LetG = GHASHK2
(AC) and the keystream used to XOR message is computed by
EncK1(N) = C oplus (0τM)
We create a valid encryption of Mlowast by reusing the same nonce N and the valuesG and S
First we compute Clowast corresponding to Mlowast
Clowast = 0τMlowast oplus EncK1(N)
= 0τMlowast oplus (C oplus 0τM)(7)
Then we construct Aprime such that
GHASHK2(Aprime Clowast) = GHASHK2
(AC)
where A C Clowast and K2 are known This gives a linear equation over GF (2128)which can easily be solved assuming that |Aprime| ge 128 and K2 6= 0
To summarize for any chosen message Mlowast we can give a successful forgery(AprimeMlowast Sprime C prime) satisfying (Sprime = SC prime = 0τMlowastoplus(Coplus0τM)) This is an almostuniversal forgery because we can choose Mlowast freely but not Aprime
52 Universal Forgery Attack
Alternatively we can design an attack where we choose both Alowast and Mlowast using2n2 queries First we make 2n2 queries (Ni AM) for fixed A and M with|M | = |Mlowast| and receive the corresponding (Si Ci) Since K2 is known we cancompute Gi = GHASH(ACi) and recover the corresponding inputs and outputsto EK3
EK3(Ni oplusGi) = Si oplusGi
Then we can use the same nonces Ni to build a forgery For each Ni webuild the corresponding C primei from Mlowast and Ci as above and we check whetherNioplusGHASH(Alowast C primei) is in the set of known inputs to EK3
With high probabilityone of the nonces will result in a match Ni oplus GHASH(Alowast C primei) = Nj oplus Gj andwe deduce a forgery using Sprime = Sj oplusGj oplus GHASH(Alowast C primei)
16
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
N
GHLε
inc32 inc32 inc32 inc32
0τ M
C
GH A
S
msbτ+|M|
K1E K1E K1E K1E
K3E K2
96
32
K4E
Fig 4 A Variant for GCM-RUP
17
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
6 Variant of GCM-RUP
Our forgery attack against GCM-RUP highlights a potential weakness on thestructure of GCM-RUP the output difference of the function GHASHK2
canbe recovered with birthday complexity and this leads to a recovery of K2 Inorder to prevent this attack we suggest to add a block cipher call in the TBCconstruction used in GCM-RUP as shown in Fig 4 to avoid leakage of theoutput difference of the function GHASHK2
This modified TBC still follows the XTX construction of Iwata and Mine-matsu [24] using universal hash function EK4
(GHASHK2(AC)) instead of the
original GHASHK2(AC) The new universal hash function has the same security
bounds but does not leak the key from an output difference Thus the securityproof of GCM-RUP is still applicable to this variant But we do not provide aformal security proof The extra block cipher has a limited impact on efficiencyand might offer better security by avoiding our attack
More generally the modified GHASH could replace GHASH in other designsIn particular the corresponding modification of GCM would prevent the uni-versal forgery attack with complexity 22n3 given in [20] We believe that thisconstruction is worth further study Further work will be needed to determinewhether this modification actually provides extra security and how much
7 Conclusion
This paper shows a birthday-bound attack against GCM-RUP [2] using innercollisions to recover the output difference of the function GHASHK2
Hence K2
can be retrieved by solving a polynomial equation and this directly leads toa universal forgery attack against GCM-RUP This forgery attack shows thatthe construction of GCM-RUP breaks drastically when the security bound isreached This is surprising because no such attack is known on GCM the bestknown universal forgery attack requires 22n3 operations
Finally a minor modification of GCM-RUP is suggested to prevent this kindof attack using an additional block cipher to protect the output of GHASHWith little performance loss this design focusing on GHASH can be applied toall GHASH-based designs
In a more general setting our attack technique can be applied to the LRWconstruction [21] with a polynomial universal hash function as used in OCB forinstance Actually the corresponding attack on OCB would match the previousattack by Ferguson [9]
8 Acknowledgement
This work was supported by the National Natural Science Foundation of Chinaunder Grant Nos 61572293 and 61602276 National Cryptography DevelopmentFoundation of China under Grant No MMJJ20170102 Major Scientific andTechnological Innovation Projects of Shandong Province China under Grant
18
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
No 2017CXGC0704 Natural Science Foundation of Shandong Province Chinaunder Grant No ZR2016FM22
References
1 Andreeva E Bogdanov A Luykx A Mennink B Mouha N Yasuda K How toSecurely Release Unverified Plaintext in Authenticated Encryption In Sarkar PIwata T (Eds) ASIACRYPT 2014 PART I LNCS 8873 pp 105ndash125 Springer
2 Ashur T Dunkelman O Luykx A Boosting Authenticated Encryption Robust-ness with Minimal Modifications In Katz J Shacham H (Eds) CRYPTO 2017Part III LNCS 10403 pp 3-33 Springer
3 Bellare M Namprempre C Authenticated Encryption Relations among Notionsand Analysis of the Generic Composition Paradigm In Okamoto T (Eds) ASI-ACRYPT 2000 LNCS 1976 pp 531ndash545 Springer
4 Bhargavan K Leurent G On the practical (in-)security of 64-bit block ciphersCollision attacks on HTTP over TLS and OpenVPN In Weippl ER Katzen-beisser S Kruegel C Myers AC Halevi S (eds) ACM CCS 2016 pp 456ndash467ACM Press (Oct 2016)
5 Cantor DG Zassenhaus H A new algorithm for factoring polynomials overfinite fields Mathematics of Computation pp 587ndash592 (1981)
6 Chaigneau C Gilbert H Is AEZ v41 sufficiently resilient against key-recoveryattacks IACR Trans Symm Cryptol 2016(1) 114ndash133 (2016) httptosc
iacrorgindexphpToSCarticleview538
7 Dierks T Allen C RFC 2246 - The TLS Protocol Version 10 Internet ActivitiesBoard (Jan 1999)
8 Dworkin M Recommendation for Block Cipher Modes of Operation Ga-loisCounter Mode (GCM) and GMAC National Institute of Standards and Tech-nology SP 800-38D November 2007
9 Ferguson N Collision attacks on OCB Comment to NIST (Feb 2002)
10 Fuhr T Leurent G Suder V Collision attacks against CAESAR candidates -forgery and key-recovery against AEZ and Marble In Iwata T Cheon JH (eds)ASIACRYPT 2015 Part II LNCS vol 9453 pp 510ndash532 Springer Heidelberg(Nov Dec 2015)
11 Gligor V Donescu P Fast Encryption and Authentication XCBC Encryptionand XECB Authentication Modes In Matsui M (Eds) FSE 2001 LNCS 2355pp 92-108 Springer
12 Gueron S Lindell Y GCM-SIV Full Nonce Misuse-Resistant Authenticated En-cryption at Under One Cycle per Byte In Ray I Li N Kruegel C (Eds) Pro-ceedings of the 22nd ACM SIGSAC Conference on Computer and CommunicationsSecurity Denver CO USA 12ndash16 October 2015 pp 109-119 ACM (2015)
13 Halevi S Rogaway P A Parallelizable Enciphering Mode In Okamoto T (Eds)CT-RSA 2004 LNCS 2964 pp 292ndash304 Springer
14 Hoang VT Krovetz T Rogaway P Robust Authenticated-Encryption AEZ andthe Problem That It Solves In Oswald E Fischlin M (eds) EUROCRYPT 2015LNCS vol 9056 pp 15-44 Springer Berlin Heidelberg
15 Inoue A Iwata T Minematsu K Poettering B Cryptanalysis of OCB2 At-tacks on Authenticity and Confidentiality In Boldyreva A Micciancio D (eds)CRYPTO 2019 LNCS vol 11692 Springer Cham
19
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
16 Iwata T Ohashi K Minematsu K Breaking and repairing GCM securityproofs In Safavi-Naini R Canetti R (eds) CRYPTO 2012 LNCS vol 7417pp 31ndash49 Springer Heidelberg (Aug 2012)
17 Joux A Comments on the Draft GCM Specification - Authentication Fail-ures in NIST Version of GCM httpcsrcnistgovgroupsSTtoolkitBCMdocumentscomments800-38Series-DraftsGCMJouxcommentspdf
18 Jutla C Encryption Modes with Almost Free Message Integrity In Pfitzmann B(Eds) EUROCRYPT 2001 LNCS 2045 pp 529-544 Springer
19 Leurent G Peyrin T Wang L New generic attacks against hash-based MACsIn Sako K Sarkar P (eds) ASIACRYPT 2013 Part II LNCS vol 8270 pp1ndash20 Springer Heidelberg (Dec 2013)
20 Leurent G Sibleyras F The missing difference problem and its applications tocounter mode encryption In Nielsen JB Rijmen V (eds) EUROCRYPT 2018Part II LNCS vol 10821 pp 745ndash770 Springer Heidelberg (Apr May 2018)
21 Liskov M Rivest RL Wagner D Tweakable Block Ciphers In Yung M (Eds)CRYPTO 2002 LNCS 2442 pp 31-46 Springer
22 Luykx A Preneel B Optimal forgeries against polynomial-based MACs andGCM In Nielsen JB Rijmen V (eds) EUROCRYPT 2018 Part I LNCS vol10820 pp 445ndash467 Springer Heidelberg (Apr May 2018)
23 McGrew D Viega J The Security and Performance of the GaloisCounter Mode(GCM) of Operation In Canteaut A Viswanathan K (eds) INDOCRYPT 2004LNCS vol 3348 pp 343-355 Springer Berlin Heidelberg
24 Minematsu K Iwata T Tweak-length extension for tweakable blockciphers InGroth J (ed) 15th IMA International Conference on Cryptography and CodingLNCS vol 9496 pp 77ndash93 Springer Heidelberg (Dec 2015)
25 Mitchell CJ On the security of XCBC TMAC and OMAC Technical Re-port RHUL-MA-2003-4 19 August 2003 Available at httpwwwrhulac
ukmathematicstechreports Also available from NISTrsquos web page at http
csrcnistgovCryptoToolkitmodescomments
26 Nandi M Bernstein bound on WCS is tight - repairing Luykx-Preneel optimalforgeries In Shacham H Boldyreva A (eds) CRYPTO 2018 Part II LNCSvol 10992 pp 213ndash238 Springer Heidelberg (Aug 2018)
27 Peyrin T Wang L Generic universal forgery attack on iterative hash-basedMACs In Nguyen PQ Oswald E (eds) EUROCRYPT 2014 LNCS vol 8441pp 147ndash164 Springer Heidelberg (May 2014)
28 Phan R CW Mini Advanced Encryption Standard (Mini-AES) A Testbed forCryptanalysis Students In Cryptologia XXVI (4) 2002 httpsstaffguilanacirstaffusersrebrahimifckeditor_repofilemini-aes-specpdf
29 Preneel B van Oorschot PC On the security of two MAC algorithms In Mau-rer UM (ed) EUROCRYPTrsquo96 LNCS vol 1070 pp 19ndash32 Springer Heidelberg(May 1996)
30 Rogaway P Bellare M Black J OCB A Block-Cipher Mode of Operation forEfficient Authenticated Encryption Transactions on Information and System Se-curity Vol 6 No 3 August 2003 pp 365-403
31 Rogaway P Shrimpton T A Provable-Security Treatment of the Key-WrapProblem In Vaudenay S (Eds) EUROCRYPT 2006 LNCS 4004 pp 373-390Springer
32 Shrimpton T Terashima RS A Modular Framework for Building Variable-Input-Length Tweakable Ciphers In Sako K Sarkar P (Eds) ASIACRYPT 2013 PartI LNCS 8269 pp 405ndash423 Springer
20
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-
33 Sung J Hong D Lee S Key recovery attacks on the RMAC TMAC andIACBC In Safavi-Naini R Seberry J (eds) ACISP 03 LNCS vol 2727 pp265ndash273 Springer Heidelberg (Jul 2003)
34 Wegman MN Carter L New Hash Functions and Their Use in Authenticationand Set Equality Journal of Computer and System Sciences 22 265-279 (1981)
35 The CAESAR committee CAESAR Competition for Authenticated EncryptionSecurity Applicability and Robustness httpcompetitionscryptocaesarhtml
36 IEEE Standard for Local and Metropolitan Area Networks Media Access Control(MAC) Security IEEE Std 8021AE-2006 (2006)
37 Information Technology - Security Techniques - Authenticated EncryptionISOIEC 197722009 International Standard ISOIEC 19772 (2009)
38 NIST Lightweight Cryptography httpscsrcnistgovProjects
Lightweight-Cryptography
39 National Security Agency Internet Protocol Security (IPsec) Minimum EssentialInteroperability Requirements IPMEIR Version 100 Core (2010) httpwwwnsagoviaprogramssuitebcryptographyindexshtml
40 Sage Documentation SageMath Help httpwwwsagemathorg
21
- Universal Forgery Attack against GCM-RUP
- Yanbin Li Gaeumltan Leurent Meiqin Wang Wei Wang Guoyan Zhang Yu Liu
-