Sciweavers

CRYPTO
2012
Springer

Breaking and Repairing GCM Security Proofs

12 years 2 months ago
Breaking and Repairing GCM Security Proofs
Abstract. In this paper, we study the security proofs of GCM (Galois/Counter Mode of Operation). We first point out that a lemma, which is related to the upper bound on the probability of a counter collision, is invalid. Both the original privacy and authenticity proofs by the designers are based on the lemma. We further show that the observation can be translated into a distinguishing attack that invalidates the main part of the privacy proof. It turns out that the original security proofs of GCM contain a flaw, and hence the claimed security bounds are not justified. A very natural question is then whether the proofs can be repaired. We give an affirmative answer to the question by presenting new security bounds, both for privacy and authenticity. As a result, although the security bounds are larger than what were previously claimed, GCM maintains its provable security. We also show that, when the nonce length is restricted to 96 bits, GCM has better security bounds than a general...
Tetsu Iwata, Keisuke Ohashi, Kazuhiko Minematsu
Added 28 Sep 2012
Updated 28 Sep 2012
Type Journal
Year 2012
Where CRYPTO
Authors Tetsu Iwata, Keisuke Ohashi, Kazuhiko Minematsu
Comments (0)