[Resource Topic] 2013/144: On Weak Keys and Forgery Attacks against Polynomial-based MAC Schemes

Welcome to the resource topic for 2013/144

Title:
On Weak Keys and Forgery Attacks against Polynomial-based MAC Schemes

Authors: Gordon Procter, Carlos Cid

Abstract:

Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega’s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen’s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. We also greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class. Finally, we demonstrate that these algebraic properties and corresponding attacks are highly relevant to GCM/2+, a variant of GCM designed to increase the efficiency in software.

ePrint: https://eprint.iacr.org/2013/144

Talk: https://www.youtube.com/watch?v=P3yu0JzS-5U

Slides: https://iacr.org/cryptodb/archive/2013/FSE/presentation/25072.pdf

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .