[Resource Topic] 2012/438: Breaking and Repairing GCM Security Proofs

Welcome to the resource topic for 2012/438

Breaking and Repairing GCM Security Proofs

Authors: Tetsu Iwata, Keisuke Ohashi, Kazuhiko Minematsu


In this paper, we study the security proofs of GCM (Galois/Counter Mode of Operation). We first point out that a lemma, which is related to the upper bound on the probability of a counter collision, is invalid. Both the original privacy and authenticity proofs by the designers are based on the lemma. We further show that the observation can be translated into a distinguishing attack that invalidates the main part of the privacy proof. It turns out that the original security proofs of GCM contain a flaw, and hence the claimed security bounds are not justified. A very natural question is then whether the proofs can be repaired. We give an affirmative answer to the question by presenting new security bounds, both for privacy and authenticity. As a result, although the security bounds are larger than what were previously claimed, GCM maintains its provable security. We also show that, when the nonce length is restricted to 96 bits, GCM has better security bounds than a general case of variable length nonces.

ePrint: https://eprint.iacr.org/2012/438

Talk: https://www.youtube.com/watch?v=QJlnR2eVqiM

Slides: https://iacr.org/cryptodb/archive/2012/CRYPTO/presentation/1-3-Iwata.pdf

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .