Breaking and Repairing GCM Security Proofs
نویسندگان
چکیده
In this paper, we study the security proofs of GCM (Galois/Counter Mode of Operation). We first point out that a lemma, which is related to the upper bound on the probability of a counter collision, is invalid. Both the original privacy and authenticity proofs by the designers are based on the lemma. We further show that the observation can be translated into a distinguishing attack that invalidates the main part of the privacy proof. It turns out that the original security proofs of GCM contain a flaw, and hence the claimed security bounds are not justified. A very natural question is then whether the proofs can be repaired. We give an affirmative answer to the question by presenting new security bounds, both for privacy and authenticity. As a result, although the security bounds are larger than what were previously claimed, GCM maintains its provable security. We also show that, when the nonce length is restricted to 96 bits, GCM has better security bounds than a general case of variable length nonces.
منابع مشابه
AES-GCM-SIV: Specification and Analysis
In this paper, we describe and analyze the security of the AES-GCM-SIV mode of operation, as defined in the CFRG specification [10]. This mode differs from the original GCM-SIV mode that was designed in [11] in two main aspects. First, the CTR encryption uses a 127-bit pseudo-random counter instead of a 95-bit pseudo-random value concatenated with a 32-bit counter. This construction leads to im...
متن کاملAnalysis and Design of Authentication and Encryption Algorithms for Secure Cloud Systems
Along with the fast growth of networks and mobile devices, cloud computing has become one of the most attractive and effective technologies and business solutions nowadays. Increasing numbers of organizations and customers are migrating their businesses and data to the cloud due to the flexibility and cost-efficiency of cloud systems. Preventing unauthorized access of sensitive data in the clou...
متن کاملStronger Security Variants of GCM-SIV
At CCS 2015, Gueron and Lindell proposed GCM-SIV, a provably secure authenticated encryption scheme that remains secure even if the nonce is repeated. While this is an advantage over the original GCM, we first point out that GCM-SIV allows a trivial distinguishing attack with about 248 queries, where each query has one plaintext block. This shows the tightness of the security claim and does not...
متن کاملEfficient Lattice-based Authenticated Encryption: A Practice-Oriented Provable Security Approach
Lattice-based cryptography has been received significant attention in the past decade. It has attractive properties such as being a major post-quantum cryptography candidate, enjoying worst-case to average-case security reductions, and being supported by efficient implementations. In recent years, lattice-based schemes have achieved enough maturity to become interesting also for the industry. A...
متن کاملSecurity Analysis of Generalized Confidential Modulation
We propose a new evaluation method for ‘generalized confidential modulation (GCM)’ for quantum communication. Confidential modulation realizes a secret communication by using secret information for modulation and noise in a channel. Y-00 is one of the famous methods of GCM for quantum communication. The existing evaluation methods for GCM are based on stream ciphers. They can estimate its analy...
متن کامل