When using GCM, The padding string $0^{31}||1$ is appended to the IV. I know that this is done to avoid the repetition of $E_K(0^n)$ which is used as key for the GHash. But what would be the security implications if the IV could be $0^n$, what concrete attacks would be possible then?
Asked
Active
Viewed 49 times
1 Answers
2
If the counter mode started at $\text{Nonce}\mathbin\|0^{32}$ instead of at $\text{Nonce}\mathbin\|0^{31}\mathbin\|1$ then one could submit an encryption query for $(0^{96},0^{128})$, i.e. the 128-bit all-zero plaintext along with the all-zero nonce. The first block of the ciphertext would then be computed as $E_K(0^{128})\oplus 0^{128}=E_K(0^{128})$ which is just the global GHash key $H$ and the blinding value for the $0^{96}$ nonce.
If you have both of these values, and the latter one is leaked through a similar strategy for each nonce value, you can do arbitrary modifications of the ciphertext, which directly propagate into the plaintext through counter-mode's homomorphic property, and fully recompute the authentication tag yourself and submit that to your decryption oracle, which will accept the tag and return a valid decryption 100% of the time which completely breaks all security notions that try to ensure some form of integrity (e.g. CCA-security, INT-PTXT, INT-CTXT, AE, ...).
And even if you specifically disallow $0^{96}$ as a nonce, you still get the blinding value which allows you to recover $H$ at least for single-block messages given that the tag is $((c_1\cdot H)\oplus (\operatorname{len}(A)\mathbin\|\operatorname{len}(C)))\cdot H\oplus E_K(\text{Nonce}\|0^{32})=c_1\cdot H^2\oplus (\operatorname{len}(A)\mathbin\|\operatorname{len}(C))\cdot H\oplus E_K(\text{Nonce}\|0^{32})=\tau$ which is a quadratic equation in one unknown over a field which is solvable using the standard equation and a square-root computing method.
SEJPM
- 45,967
- 7
- 99
- 205