Techly NewsGet the app

Get the latest tech news

AES-GCM and breaking it on nonce reuse


In this post, we will look at how the security of the AES-GCM mode of operation can be completely compromised when a nonce is reused.

In this post, we’ll stick to the polynomial representation, but it’s good to know that the operation is also called “Carry-less multiplication” or “CLMUL”, especially if you’re looking at the AES-NI instruction set of modern CPUs. An attacker who does not know the key cannot modify the ciphertext or the associated data without the recipient noticing, because they would not be able to compute the correct authentication tag, because they cannot derive H and the encrypted Y 0 block. If you’ve made it this far into the blog post, now may be a good time to take a break and let all the information sink in before we continue on to the attack on AES-GCM when a nonce is reused.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of reuse

reuse

Photo of aes

aes

Photo of gcm

gcm

Related news:

News photo

Big Speed Boost For AES-GCM Performance On Intel & AMD CPUs Queued Ahead Of Linux 6.11

News photo

Up To 162% Faster AES-GCM Encryption/Decryption For Intel & AMD CPUs On Linux

News photo

Apple will allow reuse of iPhone parts for repairs, with a notable catch

« T-Mobile users thought they had a lifetime price lock–guess what happened next
Elon Musk ends OpenAI lawsuit without explaining why »