Share on Facebook Share on Twitter Email
Answers.com

Galois/Counter Mode

 
Wikipedia: Galois/Counter Mode
Home > Library > Miscellaneous > Wikipedia

GCM mode (Galois/Counter Mode) is a mode of operation for symmetric key cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and privacy. GCM mode is defined for block ciphers with a block size of 128 bits. GMAC is an authentication-only variant of the GCM.

Contents

Encryption and authentication

GCM encryption operation

As the name suggests, GCM mode combines the well-known counter mode of encryption with the new Galois mode of authentication. The key feature is that the Galois field multiplication used for authentication can be easily computed in parallel thus permitting higher throughput than the authentication algorithms that use chaining modes, like CBC. The GF(2128) field used is defined by the polynomial

x^{128}+x^7+x^2+x+1. \,

The GHASH function is defined by

\text{GHASH}(H,A,C) = X_{m+n+1}, \,

where the inputs A and C, and the variables Xi for i = 0, ..., m + n + 1 are defined as[1]

X_i = \begin{cases} 0 & \text{for }i=0 \\ (X_{i-1} \oplus A_i) \cdot H & \text{for }i=1,\ldots, m-1 \\ (X_{m-1} \oplus (A^*_m\lVert0^{128-v})) \cdot H & \mbox{for}~i=m \\ (X_{i-1} \oplus C_{i-m}) \cdot H & \text{for }i=m+1,\ldots, m+n-1 \\ (X_{m+n-1} \oplus (C^*_m\lVert0^{128-u})) \cdot H & \text{for }i=m+n \\ (X_{m+n} \oplus (\operatorname{len}(A)\lVert \operatorname{len}(C))) \cdot H & \mbox{for}~i=m+n+1 \\ \end{cases}

GCM mode was designed by John Viega and David A. McGrew as an improvement to Carter-Wegman Counter CWC mode.

On November 26, 2007 NIST announced the release of NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC making GCM and GMAC official standards.

Use

GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, IETF IPsec standards[2][3] and SSH [4].

Performance

GCM requires one block cipher operation and one 128-bit multiplication in the Galois field per each block (128 bit) of encrypted and authenticated data.

Tag size

The bit-length of the tag, denoted t, is a security parameter. In general, t may be any one of the following five values: 128, 120, 112, 104, or 96. For certain applications, t may be 64 or 32, but the use of these two tag lengths constrains the length of the input data and the lifetime of the key. Appendix C in NIST SP 800-38D provides guidance for these constraints (for example, if t = 32 and the maximal packet size is 210 bytes, then the authentication decryption function should be invoked no more than 211 times; if t = 64 and the maximal packet size is 215 bytes, then the authentication decryption function should be invoked no more than 232 times).

As with any tag-based authentication mechanism, if the adversary chooses a t-bit tag at random, it is expected to be correct for given data with probability 2t. With GCM, however, an adversary can choose tags that increase this probability, proportional to the total length of the ciphertext and additional authenticated data (AAD). Consequently, GCM is not well-suited for use with short tag lengths or very long messages.

In particular, if n denotes the total number of blocks in the encoding (the input to the GHASH function), then there is a method of constructing a targeted ciphertext forgery that is expected to succeed with a probability of approximately n2t. Moreover, each successful forgery in this attack increases the probability that subsequent targeted forgeries will succeed, and leaks information about the hash subkey, H. Eventually, H may be compromised entirely and the authentication assurance is completely lost.[5]

Independent of this attack, an adversary may attempt to systematically guess many different tags for a given input to authenticated decryption, and thereby increase the probability that one (or more) of them, eventually, will be accepted as valid. For this reason, the system or protocol that implements GCM should monitor and, if necessary, limit the number of unsuccessful verification attempts for each key.

Patents

According to the authors' statement, GCM is unencumbered by patents.

See also

External links

Notes

  1. ^ David A. McGrew and John Viega, “The Galois/Counter Mode of Operation (GCM)”, page 5, 2005
  2. ^ RFC 4106 The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
  3. ^ RFC 4543 The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
  4. ^ RFC 5647 AES Galois Counter Mode for the Secure Shell Transport Layer Protocol
  5. ^ Niels Ferguson, Authentication Weaknesses in GCM, 2005-05-20

References


v  d  e
 
Block ciphers
Common algorithms
Less common algorithms
CAST-128 · DES-X · IDEA · RC2 · RC5 · SEED · Skipjack · TEA · XTEA · XXTEA
Other algorithms
3-Way · ABC · Akelarre · Anubis · ARIA · BaseKing · BassOmatic · BATON · BEAR and LION · Camellia · CAST-256 · CIKS-1 · CIPHERUNICORN-A · CIPHERUNICORN-E · CLEFIA · CMEA · Cobra · COCONUT98 · Crab · Cryptomeria/C2 · CRYPTON · CS-Cipher · DEAL · DFC · E2 · FEAL · FEA-M · FROG · G-DES · GOST · Grand Cru · Hasty Pudding cipher · Hierocrypt · ICE · IDEA NXT · Intel Cascade Cipher · Iraqi · KASUMI · KeeLoq · KHAZAD · Khufu and Khafre · KN-Cipher · Ladder-DES · Libelle · LOKI97 · LOKI89/91 · Lucifer · M6 · M8 · MacGuffin · Madryga · MAGENTA · MARS · Mercy · MESH · MISTY1 · MMB · MULTI2 · MultiSwap · New Data Seal · NewDES · Nimbus · NOEKEON · NUSH · Q · RC6 · REDOC · Red Pike · S-1 · SAFER · SAVILLE · SC2000 · SHACAL · SHARK · SMS4 · Spectr-H64 · Square · SXAL/MBAL · Threefish · Treyfer · UES · Xenon · xmx · XXTEA · Zodiac
Design
Attack (Cryptanalysis)
Standardization
Misc
v  d  e
 
Cryptographic hash functions and message authentication codes (MACs)

Widely used functions: MD5 | SHA    Other: GOST | HAS-160 | HAVAL | LM hash | MDC-2 | MD2 | MD4 | N-Hash | RadioGatún | RIPEMD | Snefru | Tiger | WHIRLPOOL | crypt(3) DES

SHA-3 candidates: BLAKE | Blue Midnight Wish | CubeHash | ECHO | Fugue | Grøstl | Hamsi | JH | Keccak | Luffa | SHAvite-3 | SIMD | Shabal | Skein

MAC algorithms: DAA | CBC-MAC | HMAC | OMAC/CMAC | PMAC | UMAC | Poly1305-AES

Authenticated encryption modes: CCM | CWC | EAX | GCM | OCB
v  d  e
 
Cryptography

This entry is from Wikipedia, the leading user-contributed encyclopedia. It may not have been reviewed by professional editors (see full disclaimer)

Search unanswered questions...

Enter a question here...
Search: All sources Community Q&A Reference topics

 
 

 

Copyrights:

Wikipedia. This article is licensed under the Creative Commons Attribution/Share-Alike License. It uses material from the Wikipedia article "Galois/Counter Mode" Read more