33

What are the disadvantages and weaknesses of AES-GCM mode for authenticated encryption?

Why does the CAESAR competition say that it’s one of the goals to "find an AE scheme that offers an advantage over AES-GCM"? What advantage they are talking about?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
user2035863
  • 437
  • 4
  • 4

2 Answers2

42

AES-GCM has the following problems:

  • In the case of nonce reuse both integrity and confidentiality properties are violated. If the same nonce is used twice, an adversary can create forged ciphertexts easily.
  • When short tags are used, it is rather easy to produce message forgeries. For instance, if the tag is 32 bits, then after $2^{16}$ forgery attempts and $2^{16}$ encryptions of chosen plaintexts (also of length $2^{16}$), a forged ciphertext can be produced. Creation of forgeries can be instantaneous when enough forgeries have been found.
  • GCM security proof has a flaw. It has been repaired recently, but the new security bounds are far worse for nonces not 12 bytes long;
  • GCM implementations are vulnerable to timing attacks if they do not use special AES instructions. The vulnerability remains even if the AES itself is implemented in constant-time. Constant-time implementations of GCM exist, but they are rather slow.
  • GCM restricts the message length to 68 GBytes, which might be undesirable in the future. The total amount of data allowed to encrypt on a single key is limited by $2^{64}$ blocks, but this number decreases if long nonces are allowed.
  • Reasonably fast implementations of GCM require specific lookup tables, which do not fit into fast memory (L1 cache or similar) on some architectures.
  • GCM is vulnerable against cycling attacks; bad values of the internal $H$ key, which can be pre-calculated for specific AES key values, can negatively impact security.
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Dmitry Khovratovich
  • 5,737
  • 23
  • 25
8

I suppose one of the problems (they mention several after a short reading) with a mode like GCM is nonce misuse (e.g. reuse). When the key is the same and the nonce is reused, by misunderstanding the concept or by a simple programming error, information about the plain texts can be revealed.

Phillip Rogaway has already defined an encryption mode (SIV, Synthetic IV) which tries to be more robust against nonce misuse. But it is quite slow, as it requires to process the data twice. It is also not "online", as the first data processing must be finished before the second can start.

Thor
  • 788
  • 3
  • 6