@inproceedings{ea6737db906e41fc8b682cb86cb1d80f,
title = "The fragility of AES-GCM authentication algorithm",
abstract = "A new implementation of the GHASH function has been recently committed to a Git version of Open SSL, to speed up AES-GCM. We identified a bug in that implementation, and made sure it was quickly fixed before trickling into an official Open SSL trunk. Here, we use this (already fixed) bug as a real example that demonstrates the fragility of AES-GCM's authentication algorithm (GHASH). One might expect that incorrect MAC tag generation would only cause legitimate message-tag pairs to fail authentication (which is already a serious problem). However, since GHASH is a 'polynomial evaluation' MAC, the bug can be exploited for actual message forgery.",
keywords = "AES-GCM, Component, GHASH, Message forgery, OpenSSL, Polynomial evaluation MAC",
author = "Shay Gueron and Vlad Krasnov",
year = "2014",
doi = "10.1109/ITNG.2014.31",
language = "English",
isbn = "9781479931873",
series = "ITNG 2014 - Proceedings of the 11th International Conference on Information Technology: New Generations",
publisher = "IEEE Computer Society",
pages = "333--337",
booktitle = "ITNG 2014 - Proceedings of the 11th International Conference on Information Technology",
address = "United States",
note = "11th International Conference on Information Technology: New Generations, ITNG 2014 ; Conference date: 07-04-2014 Through 09-04-2014",
}