Revisiting MAC Forgeries, Weak Keys and Provable Security of Galois/Counter Mode of Operation

Abstract. Galois/Counter Mode (GCM) is a block cipher mode of operation widely adopted in many practical applications and standards, such as IEEE 802.1AE and IPsec. We demonstrate that to construct successful forgeries of GCM-like polynomial-based MAC schemes, hash collisions are not necessarily required and any polynomials could be used in the attacks, which removes the restrictions of attacks previously proposed by Procter and Cid. Based on these new discoveries on forgery attacks, we show that all subsets with no less than two authentication keys are weak key classes, if the final block cipher masking is computed additively. In addition, by utilizing a special structure of GCM, we turn these forgery attacks into birthday attacks, which will significantly increase their success probabilities. Furthermore, we provide a method to fix GCM in order to avoid the security proof flaw discovered by Iwata, Ohashi and Minematsu. By applying the method, the security bounds of GCM can be improved by a factor of around 2 20 . Lastly, we show that these forgery attacks will still succeed if GCM adopts MAC-then-Enc paradigm to protect its MAC scheme as one of the options mentioned in previous papers

On Weak Keys and Forgery Attacks Against Polynomial-Based MAC Schemes

Abstract. Universal hash functions are commonly used primitives for fast and secure message authentication in the form of Message Authentication Codes (MACs) or Authenticated Encryption with Associated Data (AEAD) schemes. These schemes are widely used and standardised, the most well known being McGrew and Viega’s Galois/Counter Mode (GCM). In this paper we identify some properties of hash functions based on polynomial evaluation that arise from the underlying algebraic structure. As a result we are able to describe a general forgery attack, of which Saarinen’s cycling attack from FSE 2012 is a special case. Our attack removes the requirement for long messages and applies regardless of the field in which the hash function is evaluated. Furthermore we provide a common description of all published attacks against GCM, by showing that the existing attacks are the result of these algebraic properties of the polynomial-based hash function. We also greatly expand the number of known weak GCM keys and show that almost every subset of the keyspace is a weak key class. Finally, we demonstrate that these algebraic properties and corresponding attacks are highly relevant to GCM/2 +, a variant of GCM designed to increase the efficiency in software

On Message Authentication in 4G LTE System

After decades of evolution, the cellular system has become an indispensable part of modern life. Together with the convenience brought by the cellular system, many security issues have arisen. Message integrity protection is one of the urgent problems. The integrity of a message is usually protected by message authentication code (MAC). Forgery attacks are the primary threat to message integrity. By Simon's definition, forgery is twofold. The first is impersonation forgery, in which the opponent can forge a MAC without knowing any message-MAC pairs. The second is substitution forgery, in which the opponent can forge a MAC by knowing certain message-MAC pairs. In the 4G LTE system, MAC is applied not only to RRC control messages and user data, but also to authentication of the identities in the radio network during the authentication and key agreement (AKA) procedure. There is a set of functions used in AKA, which is called A3/A8. Originally, only one cipher suite called MILENAGE followed the definition of A3/A8. Recently, Vodafone has proposed another candidate called TUAK. This thesis first analyzes a MAC algorithm of the 4G LTE system called EIA1. The analysis shows that because of its linear structure, given two valid message-MAC pairs generated by EIA1, attackers can forge up to $2^{32}$ valid MACs by the algorithm called linear forgery attack proposed in this thesis. This thesis also proposes a well-designed scenario, in which attackers can apply the linear forgery attack to the real system. The second work presented in this thesis fixes the gap between the almost XOR universal property and the substitution forgery probability, and assesses the security of EIA1 under different attack models. After the security analysis, an optimized EIA1 using an efficient polynomial evaluation method is proposed. This polynomial evaluation method is analog to the fast Fourier transform. Compared with Horner's rule, which is used in the official implementation of EIA1, this method reduces the number of multiplications over finite field dramatically. The improvement is shown by the experiment results, which suggests that the optimized code is much faster than the official implementation, and the polynomial evaluation method is better than Horner's rule. The third work in this thesis assesses the security of TUAK, and proves TUAK is a secure algorithm set, which means $f_1$, $f_1^*$, and $f_2$ are resistant to forgery attacks, and key recovery attacks; $f_3$ - $f_5$, and $f_5^*$ are resistant to key recovery attacks and collision. A novel technique called multi-output filtering model is proposed in this work in order to study the non-randomness property of TUAK and other cryptographic primitives, such as AES, KASUMI, and PRESENT. A multi-output filtering model consists of a linear feedback shift register (LFSR) and a multi-output filtering function. The contribution of this research is twofold. First, an attack technique under IND-CPA using the multi-output filtering model is proposed. By introducing a distinguishing function, we theoretically determine the success rate of this attack. In particular, we construct a distinguishing function based on the distribution of the linear complexity of component sequences, and apply it on studying TUAK's $f_1$ algorithm, AES, KASUMI and PRESENT. The experiments demonstrate that the success rate of the attack on KASUMI and PRESENT is non-negligible, but $f_1$ and AES are resistant to this attack. Second, this research studies the distribution of the cryptographic properties of component functions of a random primitive in the multi-output filtering model. The experiments show some non-randomness in the distribution of the algebraic degree and nonlinearity for KASUMI. The last work is constructing two MACs. The first MAC called WGIA-128 is a variant of EIA1, and requires the underlying stream cipher to generate uniform distributed key streams. WG-16, a stream cipher with provable security, is a good choice to be the underlying cipher of WGIA-128 because it satisfies the requirement. The second MAC called AMAC is constructed upon APN functions. we propose two different constructions of AMAC, and both of these two constructions have provable security. The probability of substitution forgery attacks against both constructions of AMAC is upper bounded by a negligible value. Compared with EIA1 and EIA3, two message authentication codes used in the 4G LTE system, both constructions of AMAC are slower than EIA3, but much faster than EIA1. Moreover, both constructions of AMAC are resistant to cycling and linear forgery attacks, which can be applied to both EIA1 and EIA3

Partition Oracles from Weak Key Forgeries

In this work, we show how weak key forgeries against polynomial hash based Authenticated Encryption (AE) schemes, such as AES-GCM, can be leveraged to launch partitioning oracle attacks. Partitioning oracle attacks were recently introduced by Len et al. (Usenix\u2721) as a new class of decryption error oracle which, conceptually, takes a ciphertext as input and outputs whether or not the decryption key belongs to some known subset of keys. Partitioning oracle attacks allow an adversary to query multiple keys simultaneously, leading to practical attacks against low entropy keys (e.g. those derived from passwords). Weak key forgeries were given a systematic treatment in the work of Procter and Cid (FSE\u2713), who showed how to construct MAC forgeries that effectively test whether the decryption key is in some (arbitrary) set of target keys. Consequently, it would appear that weak key forgeries naturally lend themselves to constructing partition oracles; we show that this is indeed the case, and discuss some practical applications of such an attack. Our attack applies in settings where AE schemes are used with static session keys, and has the particular advantage that an attacker has full control over the underlying plaintexts, allowing any format checks on underlying plaintexts to be met -- including those designed to mitigate against partitioning oracle attacks. Prior work demonstrated that key commitment is an important security property of AE schemes, in particular settings. Our results suggest that resistance to weak key forgeries should be considered a related design goal. Lastly, our results reinforce the message that weak passwords should never be used to derive encryption keys

Моделювання режиму вибіркового гамування із прискореним виробленням імітовставки

This article discusses the selective Galois counter mode with rapid generation of Galois message authentication code (Galois/Counter Mode and GMAC - GCM & GMAC). Specification of this coding mode is presented in NIST SP 800-38D. This coding mode is designed for realization of rapid cryptotransformation in providing information security services using different cryptographic primitives, such as polynomial hashing, counter and other. Using of proposed coding mode ensures the integrity and confidentiality of information. The article developed a reduced model of the mode. Reduced model preserves the algebraic structure of all main cryptotransformations by their scaling. Developed reduced model will use for experimental studies of collision properties of generated message authentication codes using the methods of statistical testing of hypotheses and mathematical statistics. This article discusses practical examples of cryptoprimitives and cryptotransformations.Рассматривается режим выборочного гаммирования с ускоренной выработкой имитовставки (Galois/Counter Mode and GMAC), спецификация которого представлена в NIST SP 800-38D. Разрабатывается уменьшенная модель режима, которая сохраняет алгебраическую структуру всех основных криптопреобразований и позволяет за счёт их масштабирования провести экспериментальные исследования коллизионных свойств сформированных имитовставок с последующим прогнозированием уровня криптографической стойкости полной версии шифра.Розглядається режим вибіркового гамування із прискореним виробленням імітовставки (Galois/Counter Mode and GMAC), специфікацію якого наведено у стандарті NIST SP 800-38D. Розробляється зменшена модель режиму, яка зберігає алгебраїчну структуру всіх основних криптоперетворень та дозволяє за рахунок їхнього масштабування провести експериментальні дослідження колізійних властивостей формованих імітовставок з подальшим прогнозуванням рівня криптографічного стійкості повної версії шифру

Моделювання режиму вибіркового гамування із прискореним виробленням імітовставки

This article discusses the selective Galois counter mode with rapid generation of Galois message authentication code (Galois/Counter Mode and GMAC - GCM & GMAC). Specification of this coding mode is presented in NIST SP 800-38D. This coding mode is designed for realization of rapid cryptotransformation in providing information security services using different cryptographic primitives, such as polynomial hashing, counter and other. Using of proposed coding mode ensures the integrity and confidentiality of information. The article developed a reduced model of the mode. Reduced model preserves the algebraic structure of all main cryptotransformations by their scaling. Developed reduced model will use for experimental studies of collision properties of generated message authentication codes using the methods of statistical testing of hypotheses and mathematical statistics. This article discusses practical examples of cryptoprimitives and cryptotransformations.Рассматривается режим выборочного гаммирования с ускоренной выработкой имитовставки (Galois/Counter Mode and GMAC), спецификация которого представлена в NIST SP 800-38D. Разрабатывается уменьшенная модель режима, которая сохраняет алгебраическую структуру всех основных криптопреобразований и позволяет за счёт их масштабирования провести экспериментальные исследования коллизионных свойств сформированных имитовставок с последующим прогнозированием уровня криптографической стойкости полной версии шифра.Розглядається режим вибіркового гамування із прискореним виробленням імітовставки (Galois/Counter Mode and GMAC), специфікацію якого наведено у стандарті NIST SP 800-38D. Розробляється зменшена модель режиму, яка зберігає алгебраїчну структуру всіх основних криптоперетворень та дозволяє за рахунок їхнього масштабування провести експериментальні дослідження колізійних властивостей формованих імітовставок з подальшим прогнозуванням рівня криптографічного стійкості повної версії шифру

Ubiquitous Weak-key Classes of BRW-polynomial Function

BRW-polynomial function is suggested as a preferred alternative of polynomial function, owing to its high efficiency and seemingly non-existent weak keys. In this paper we investigate the weak-key issue of BRW-polynomial function as well as BRW-instantiated cryptographic schemes. Though, in BRW-polynomial evaluation, the relationship between coefficients and input blocks is indistinct, we give out a recursive algorithm to compute another $(2^{v+1}-1)$-block message, for any given $(2^{v+1}-1)$-block message, such that their output-differential through BRW-polynomial evaluation, equals any given $s$-degree polynomial, where $v\ge\lfloor\log_2(s+1)\rfloor$. With such algorithm, we illustrate that any non-empty key subset is a weak-key class in BRW-polynomial function. Moreover any key subset of BRW-polynomial function, consisting of at least $2$ keys, is a weak-key class in BRW-instantiated cryptographic schemes like the Wegman-Carter scheme, the UHF-then-PRF scheme, DCT, etc. Especially in the AE scheme DCT, its confidentiality, as well as its integrity, collapses totally, when using weak keys of BRW-polynomial function, which are ubiquitous

Optimal Forgeries Against Polynomial-Based MACs and GCM

Polynomial-based authentication algorithms, such as GCM and Poly1305, have seen widespread adoption in practice. Due to their importance, a significant amount of attention has been given to understanding and improving both proofs and attacks against such schemes. At EUROCRYPT 2005, Bernstein published the best known analysis of the schemes when instantiated with PRPs, thereby establishing the most lenient limits on the amount of data the schemes can process per key. A long line of work, initiated by Handschuh and Preneel at CRYPTO 2008, finds the best known attacks, advancing our understanding of the fragility of the schemes. Yet surprisingly, no known attacks perform as well as the predicted worst-case attacks allowed by Bernstein\u27s analysis, nor has there been any advancement in proofs improving Bernstein\u27s bounds, and the gap between attacks and analysis is significant. We settle the issue by finding a novel attack against polynomial-based authentication algorithms using PRPs, and combine it with new analysis, to show that Bernstein\u27s bound, and our attacks, are optimal