Why doesn't GMAC/GCM encrypt its authentication tag?How to communicate authentication tag for GCM?Does the GCM authentication tag need to be protected?Do Carter–Wegman MACs allow key reuse if the MAC tag is kept secret?Nonce for AES GCM to prevent replay attacksHow does GCM/GMAC work?Are tags longer than 128 bit possible for AES-256-CCM and AES-256-GCM?Any benefit to encrypting IV and MAC in a mode like AES-GCM or ChaChaPoly?Nonce-misuse-resistance scheme applied after the fact to AES-GCM for defense in depth?
Tiny image scraper for xkcd.com
What is the majority of the UK Government as of 2019-09-04?
What's the eccentricity of an orbit (trajectory) falling straight down towards the center?
How do I anonymously report the Establishment Clause being broken?
ASCII Maze Rendering 3000
Round away from zero
What is the source of the fear in the Hallow spell's extra Fear effect?
Default argument for a functor in a templated parameter
Is there any difference between these two sentences? (Adverbs)
What drugs were used in England during the High Middle Ages?
In the DC universe, which characters assumed the identity of the Red Hood?
What's the point of this macro?
Are language and thought the same?
What are some countries where you can be imprisoned for reading or owning a Bible?
How does the UK House of Commons think they can prolong the deadline of Brexit?
Mute single speaker?
Where on Earth is it easiest to survive in the wilderness?
How do I delete cookies from a specific site?
Is directly echoing the user agent in PHP a security hole?
Shoes for commuting
Life post thesis submission is terrifying - Help!
'Hard work never hurt anyone' Why not 'hurts'?
Never make public members virtual/abstract - really?
Global variables and information security
Why doesn't GMAC/GCM encrypt its authentication tag?
How to communicate authentication tag for GCM?Does the GCM authentication tag need to be protected?Do Carter–Wegman MACs allow key reuse if the MAC tag is kept secret?Nonce for AES GCM to prevent replay attacksHow does GCM/GMAC work?Are tags longer than 128 bit possible for AES-256-CCM and AES-256-GCM?Any benefit to encrypting IV and MAC in a mode like AES-GCM or ChaChaPoly?Nonce-misuse-resistance scheme applied after the fact to AES-GCM for defense in depth?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
As most know, a duplicate nonce with GMAC/GCM allows key recovery attacks against GMAC itself and thus the ability to forge messages. This is because GMAC computes GHASH and then just XORs this with AES(j) where j is the GCM counter. If a nonce is duplicate you get identical AES(j) which lets you XOR and get the raw GHASH and then attack the GCM polynomial.
Why doesn't GCM encrypt its final authentication tag using AES in ECB mode (one ECB block)? If performance is a concern and you want to avoid doing two AES encryptions why not do AES(GHASH(m) ^ j) or similar? GHASH(m) XOR AES(j) seems like it's begging for sudden death on nonce reuse. Why do that?
It seems like this simple design change would have made GCM/GMAC more resistant to nonce repetition. You'd still be able to XOR ciphertexts just like you can with any stream cipher when a nonce is repeated but you wouldn't be able to compromise the authentication key, right?
algorithm-design gcm aes-gcm
asked 10 hours ago
Adam IerymenkoAdam Ierymenko
3512 bronze badges
$endgroup$
add a comment |
$begingroup$
As most know, a duplicate nonce with GMAC/GCM allows key recovery attacks against GMAC itself and thus the ability to forge messages. This is because GMAC computes GHASH and then just XORs this with AES(j) where j is the GCM counter. If a nonce is duplicate you get identical AES(j) which lets you XOR and get the raw GHASH and then attack the GCM polynomial.
Why doesn't GCM encrypt its final authentication tag using AES in ECB mode (one ECB block)? If performance is a concern and you want to avoid doing two AES encryptions why not do AES(GHASH(m) ^ j) or similar? GHASH(m) XOR AES(j) seems like it's begging for sudden death on nonce reuse. Why do that?
It seems like this simple design change would have made GCM/GMAC more resistant to nonce repetition. You'd still be able to XOR ciphertexts just like you can with any stream cipher when a nonce is repeated but you wouldn't be able to compromise the authentication key, right?
algorithm-design gcm aes-gcm
asked 10 hours ago
Adam IerymenkoAdam Ierymenko
3512 bronze badges
$endgroup$
2
$begingroup$
Maybe it is because reusing the same (edit: keyed) symmetric cipher for two different purposes may create unforeseen issues during correct usage, e.g. when the input of the MAC value is identical to a previous input.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Hmm... I suspect you're right. This is probably why SIV modes and modes that use a separate out-of-band MAC often use two different keys: one for encryption and one for MAC. I'm still not sure I see it though... or are they just playing it safe?
$endgroup$
– Adam Ierymenko
9 hours ago
1
$begingroup$
Could be that they're playing it safe. Could also be that the security proof would become more complicated otherwise, you would have one more thing to proof after all.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Yeah... it's just that "sudden total flaming death" on nonce reuse is a footgun.
$endgroup$
– Adam Ierymenko
9 hours ago
1
$begingroup$
There's little point in this because all is lost anyways on nonce reuse (namely the CTR encryption leaks plaintext XORs), so might as well make the best out of the situation, also if we would encrypt it would no longer be a Carter-Wegman MAC.
$endgroup$
– SEJPM♦
7 hours ago
add a comment |
$begingroup$
As most know, a duplicate nonce with GMAC/GCM allows key recovery attacks against GMAC itself and thus the ability to forge messages. This is because GMAC computes GHASH and then just XORs this with AES(j) where j is the GCM counter. If a nonce is duplicate you get identical AES(j) which lets you XOR and get the raw GHASH and then attack the GCM polynomial.
Why doesn't GCM encrypt its final authentication tag using AES in ECB mode (one ECB block)? If performance is a concern and you want to avoid doing two AES encryptions why not do AES(GHASH(m) ^ j) or similar? GHASH(m) XOR AES(j) seems like it's begging for sudden death on nonce reuse. Why do that?
It seems like this simple design change would have made GCM/GMAC more resistant to nonce repetition. You'd still be able to XOR ciphertexts just like you can with any stream cipher when a nonce is repeated but you wouldn't be able to compromise the authentication key, right?
algorithm-design gcm aes-gcm
asked 10 hours ago
Adam IerymenkoAdam Ierymenko
3512 bronze badges
$endgroup$
As most know, a duplicate nonce with GMAC/GCM allows key recovery attacks against GMAC itself and thus the ability to forge messages. This is because GMAC computes GHASH and then just XORs this with AES(j) where j is the GCM counter. If a nonce is duplicate you get identical AES(j) which lets you XOR and get the raw GHASH and then attack the GCM polynomial.
Why doesn't GCM encrypt its final authentication tag using AES in ECB mode (one ECB block)? If performance is a concern and you want to avoid doing two AES encryptions why not do AES(GHASH(m) ^ j) or similar? GHASH(m) XOR AES(j) seems like it's begging for sudden death on nonce reuse. Why do that?
It seems like this simple design change would have made GCM/GMAC more resistant to nonce repetition. You'd still be able to XOR ciphertexts just like you can with any stream cipher when a nonce is repeated but you wouldn't be able to compromise the authentication key, right?
algorithm-design gcm aes-gcm
algorithm-design gcm aes-gcm
asked 10 hours ago
Adam IerymenkoAdam Ierymenko
3512 bronze badges
asked 10 hours ago
Adam IerymenkoAdam Ierymenko
3512 bronze badges
asked 10 hours ago
Adam IerymenkoAdam Ierymenko
3512 bronze badges
asked 10 hours ago
Adam IerymenkoAdam Ierymenko
3512 bronze badges
asked 10 hours ago
Adam IerymenkoAdam Ierymenko
3512 bronze badges
3512 bronze badges
2
$begingroup$
Maybe it is because reusing the same (edit: keyed) symmetric cipher for two different purposes may create unforeseen issues during correct usage, e.g. when the input of the MAC value is identical to a previous input.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Hmm... I suspect you're right. This is probably why SIV modes and modes that use a separate out-of-band MAC often use two different keys: one for encryption and one for MAC. I'm still not sure I see it though... or are they just playing it safe?
$endgroup$
– Adam Ierymenko
9 hours ago
1
$begingroup$
Could be that they're playing it safe. Could also be that the security proof would become more complicated otherwise, you would have one more thing to proof after all.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Yeah... it's just that "sudden total flaming death" on nonce reuse is a footgun.
$endgroup$
– Adam Ierymenko
9 hours ago
1
$begingroup$
There's little point in this because all is lost anyways on nonce reuse (namely the CTR encryption leaks plaintext XORs), so might as well make the best out of the situation, also if we would encrypt it would no longer be a Carter-Wegman MAC.
$endgroup$
– SEJPM♦
7 hours ago
add a comment |
2
$begingroup$
Maybe it is because reusing the same (edit: keyed) symmetric cipher for two different purposes may create unforeseen issues during correct usage, e.g. when the input of the MAC value is identical to a previous input.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Hmm... I suspect you're right. This is probably why SIV modes and modes that use a separate out-of-band MAC often use two different keys: one for encryption and one for MAC. I'm still not sure I see it though... or are they just playing it safe?
$endgroup$
– Adam Ierymenko
9 hours ago
1
$begingroup$
Could be that they're playing it safe. Could also be that the security proof would become more complicated otherwise, you would have one more thing to proof after all.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Yeah... it's just that "sudden total flaming death" on nonce reuse is a footgun.
$endgroup$
– Adam Ierymenko
9 hours ago
1
$begingroup$
There's little point in this because all is lost anyways on nonce reuse (namely the CTR encryption leaks plaintext XORs), so might as well make the best out of the situation, also if we would encrypt it would no longer be a Carter-Wegman MAC.
$endgroup$
– SEJPM♦
7 hours ago
2
2
$begingroup$
Maybe it is because reusing the same (edit: keyed) symmetric cipher for two different purposes may create unforeseen issues during correct usage, e.g. when the input of the MAC value is identical to a previous input.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Maybe it is because reusing the same (edit: keyed) symmetric cipher for two different purposes may create unforeseen issues during correct usage, e.g. when the input of the MAC value is identical to a previous input.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Hmm... I suspect you're right. This is probably why SIV modes and modes that use a separate out-of-band MAC often use two different keys: one for encryption and one for MAC. I'm still not sure I see it though... or are they just playing it safe?
$endgroup$
– Adam Ierymenko
9 hours ago
$begingroup$
Hmm... I suspect you're right. This is probably why SIV modes and modes that use a separate out-of-band MAC often use two different keys: one for encryption and one for MAC. I'm still not sure I see it though... or are they just playing it safe?
$endgroup$
– Adam Ierymenko
9 hours ago
1
1
$begingroup$
Could be that they're playing it safe. Could also be that the security proof would become more complicated otherwise, you would have one more thing to proof after all.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Could be that they're playing it safe. Could also be that the security proof would become more complicated otherwise, you would have one more thing to proof after all.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Yeah... it's just that "sudden total flaming death" on nonce reuse is a footgun.
$endgroup$
– Adam Ierymenko
9 hours ago
$begingroup$
Yeah... it's just that "sudden total flaming death" on nonce reuse is a footgun.
$endgroup$
– Adam Ierymenko
9 hours ago
1
1
$begingroup$
There's little point in this because all is lost anyways on nonce reuse (namely the CTR encryption leaks plaintext XORs), so might as well make the best out of the situation, also if we would encrypt it would no longer be a Carter-Wegman MAC.
$endgroup$
– SEJPM♦
7 hours ago
$begingroup$
There's little point in this because all is lost anyways on nonce reuse (namely the CTR encryption leaks plaintext XORs), so might as well make the best out of the situation, also if we would encrypt it would no longer be a Carter-Wegman MAC.
$endgroup$
– SEJPM♦
7 hours ago
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
Latency, probably.
$mathrmGHASH_K(m) oplus mathrmAES_K(n)$ lets you compute both in parallel, whereas encrypting the $mathrmGHASH$ output would add significant latency for short messages. The authors go to great detail about this in Section 3 of the original GCM document.
A similar competing mode at the time, CWC, did indeed encrypt the MAC output but was not as efficient.
answered 6 hours ago
Samuel NevesSamuel Neves
8,14528 silver badges42 bronze badges
$endgroup$
2
$begingroup$
It is most certainly latency. GCM was originally designed to be run in a pipelined AES implementation; encrypting the tag would require another pass through the AES chain (which means that the tag wouldn't be available until 10 cycles after the rest of the message)
$endgroup$
– poncho
6 hours ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f73049%2fwhy-doesnt-gmac-gcm-encrypt-its-authentication-tag%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Latency, probably.
$mathrmGHASH_K(m) oplus mathrmAES_K(n)$ lets you compute both in parallel, whereas encrypting the $mathrmGHASH$ output would add significant latency for short messages. The authors go to great detail about this in Section 3 of the original GCM document.
A similar competing mode at the time, CWC, did indeed encrypt the MAC output but was not as efficient.
answered 6 hours ago
Samuel NevesSamuel Neves
8,14528 silver badges42 bronze badges
$endgroup$
2
$begingroup$
It is most certainly latency. GCM was originally designed to be run in a pipelined AES implementation; encrypting the tag would require another pass through the AES chain (which means that the tag wouldn't be available until 10 cycles after the rest of the message)
$endgroup$
– poncho
6 hours ago
add a comment |
$begingroup$
Latency, probably.
$mathrmGHASH_K(m) oplus mathrmAES_K(n)$ lets you compute both in parallel, whereas encrypting the $mathrmGHASH$ output would add significant latency for short messages. The authors go to great detail about this in Section 3 of the original GCM document.
A similar competing mode at the time, CWC, did indeed encrypt the MAC output but was not as efficient.
answered 6 hours ago
Samuel NevesSamuel Neves
8,14528 silver badges42 bronze badges
$endgroup$
2
$begingroup$
It is most certainly latency. GCM was originally designed to be run in a pipelined AES implementation; encrypting the tag would require another pass through the AES chain (which means that the tag wouldn't be available until 10 cycles after the rest of the message)
$endgroup$
– poncho
6 hours ago
add a comment |
$begingroup$
Latency, probably.
$mathrmGHASH_K(m) oplus mathrmAES_K(n)$ lets you compute both in parallel, whereas encrypting the $mathrmGHASH$ output would add significant latency for short messages. The authors go to great detail about this in Section 3 of the original GCM document.
A similar competing mode at the time, CWC, did indeed encrypt the MAC output but was not as efficient.
answered 6 hours ago
Samuel NevesSamuel Neves
8,14528 silver badges42 bronze badges
$endgroup$
Latency, probably.
$mathrmGHASH_K(m) oplus mathrmAES_K(n)$ lets you compute both in parallel, whereas encrypting the $mathrmGHASH$ output would add significant latency for short messages. The authors go to great detail about this in Section 3 of the original GCM document.
A similar competing mode at the time, CWC, did indeed encrypt the MAC output but was not as efficient.
answered 6 hours ago
Samuel NevesSamuel Neves
8,14528 silver badges42 bronze badges
answered 6 hours ago
Samuel NevesSamuel Neves
8,14528 silver badges42 bronze badges
answered 6 hours ago
Samuel NevesSamuel Neves
8,14528 silver badges42 bronze badges
answered 6 hours ago
Samuel NevesSamuel Neves
8,14528 silver badges42 bronze badges
8,14528 silver badges42 bronze badges
2
$begingroup$
It is most certainly latency. GCM was originally designed to be run in a pipelined AES implementation; encrypting the tag would require another pass through the AES chain (which means that the tag wouldn't be available until 10 cycles after the rest of the message)
$endgroup$
– poncho
6 hours ago
add a comment |
2
$begingroup$
It is most certainly latency. GCM was originally designed to be run in a pipelined AES implementation; encrypting the tag would require another pass through the AES chain (which means that the tag wouldn't be available until 10 cycles after the rest of the message)
$endgroup$
– poncho
6 hours ago
2
2
$begingroup$
It is most certainly latency. GCM was originally designed to be run in a pipelined AES implementation; encrypting the tag would require another pass through the AES chain (which means that the tag wouldn't be available until 10 cycles after the rest of the message)
$endgroup$
– poncho
6 hours ago
$begingroup$
It is most certainly latency. GCM was originally designed to be run in a pipelined AES implementation; encrypting the tag would require another pass through the AES chain (which means that the tag wouldn't be available until 10 cycles after the rest of the message)
$endgroup$
– poncho
6 hours ago
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f73049%2fwhy-doesnt-gmac-gcm-encrypt-its-authentication-tag%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
$begingroup$
Maybe it is because reusing the same (edit: keyed) symmetric cipher for two different purposes may create unforeseen issues during correct usage, e.g. when the input of the MAC value is identical to a previous input.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Hmm... I suspect you're right. This is probably why SIV modes and modes that use a separate out-of-band MAC often use two different keys: one for encryption and one for MAC. I'm still not sure I see it though... or are they just playing it safe?
$endgroup$
– Adam Ierymenko
9 hours ago
1
$begingroup$
Could be that they're playing it safe. Could also be that the security proof would become more complicated otherwise, you would have one more thing to proof after all.
$endgroup$
– Maarten Bodewes♦
9 hours ago
$begingroup$
Yeah... it's just that "sudden total flaming death" on nonce reuse is a footgun.
$endgroup$
– Adam Ierymenko
9 hours ago
1
$begingroup$
There's little point in this because all is lost anyways on nonce reuse (namely the CTR encryption leaks plaintext XORs), so might as well make the best out of the situation, also if we would encrypt it would no longer be a Carter-Wegman MAC.
$endgroup$
– SEJPM♦
7 hours ago