Welcome to the resource topic for 2013/157

Title:
The fragility of AES-GCM authentication algorithm

Authors: Shay Gueron, Vlad Krasnov

A new implementation of the GHASH function has been recently committed to a Git version of OpenSSL, to speed up AES-GCM. We identified a bug in that implementation, and made sure it was quickly fixed before trickling into an official OpenSSL trunk. Here, we use this (already fixed) bug as a real example that demonstrates the fragility of AES-GCM’s authentication algorithm (GHASH). One might expect that incorrect MAC tag generation would only cause legitimate message-tag pairs to fail authentication (which is already a serious problem). However, since GHASH is a “polynomial evaluation” MAC, the bug can be exploited for actual message forgery.

ePrint: https://eprint.iacr.org/2013/157

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .