1 / 36

The Galois/Counter Mode of Operation (GCM)

The Galois/Counter Mode of Operation (GCM). Advanced Security and Authentication Professor: Hong, Sugwon Presenter: Tran, Nhat -Phuong High Performance Computing (HPC) Lab. Content. Introduction Inputs and Outputs Symbols

fawzia
Download Presentation

The Galois/Counter Mode of Operation (GCM)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Galois/Counter Mode of Operation (GCM) Advanced Security and Authentication Professor: Hong, Sugwon Presenter: Tran, Nhat-Phuong High Performance Computing (HPC) Lab

  2. Content • Introduction • Inputs and Outputs • Symbols • Authenticated Encryption and Decryption Operations • Can GCM Be Parallelized? • Software and Hardware Implementation

  3. Introduction • By David A. McGrew and John Viega • NIST-recommended mode providing authenticated encryption • GCM is high throughput mode and it can be implemented easily in hardware and software • GCM is a block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption • GCM mode combines the counter mode of encryption with the new Galois of authentication

  4. Inputs and Outputs Sender AE black box Receiver AE black box • Input: • A secret key K • An initialization vector IV • A plaintext P • Additional authenticated data A • Output: • A cipher text C • An authentication tag T • Input: • A secret key K • An initialization vector IV • A cipher text C • Additional authenticated data A • An authentication tag T • Output: • If the tag is verified: the plaintext P • Else : FAIL

  5. Symbols

  6. Variables • C The ciphertext • H The hash subkey • IV The initialization vector • K The block cipher key • P The plaintext • R The constant for the multiplication algorithm • T The authentication tag

  7. Operations and Functions • 0s • The bit string that consists of s ‘0’ bit • CIPHK(X) • The output of the forward cipher function of the block cipher under the key K applied to the block X • GTRK(ICB,X) • The output of the GCTR function for a given block cipher with key K applied to the bit string X with an initial counter block ICB • GHASHH(X) • The output of the GHASH function under the parameter H applied to the bit string X • inc(X) • The output of the GCM incrementing function applied to the block X

  8. Operations and Functions • int(X) • The integer for which the bit string X is a binary representation • len(X) • The bit length of the bit string X • LSBs(X) • The bit string consisting of the s right-most bits of the bit string X • MSBs(X) • The bit string consisting of the s left-most bits of the bit string X • x • The least integer that is not less than the real number x

  9. Operations and Functions • [x]s • The binary representation of the non-negative integer x as a string of s bits, where x<2s • X>>1 • The bit string that results from discarding the right-most bit of the bit string X and appending a ‘0’ bit on the left • X||Y • The concatenation of two bit string X and Y • XY • The bitwise exclusive-OR of two bit strings X and Y of the same length • XY • The product of two blocks, X and Y, regarded as elements of a certain binary Galois field

  10. The incrementing function • Defined on a block X as follows: • Used to generate a sequence of blocks from an initial block

  11. The Field GF(2128) • A finite field or Galois field for prime 2. The elements of GF(2128) are polynomials over GF(2) • GCM uses the fixed polynomial: • In bit operations, f can be expressed as R=111000010120 • Defined by multiplication and addition operations • The addition of two elements X and Y consists of adding the polynomials together

  12. The Multiplication Operations on Blocks

  13. The GHASH function

  14. The GHASH function

  15. The GCTR function

  16. The GCTR function

  17. The GCTR function

  18. Authenticated Encryption and Decryption Operations

  19. Authenticated Encryption Operation

  20. Authenticated Encryption Operation

  21. Authenticated Encryption Operation

  22. Authenticated Decryption Operation

  23. Authenticated Decryption Operation

  24. Authenticated Decryption Operation

  25. Can GCM be parallelized?

  26. Two parts of GCM Encryption Authentication

  27. Encryption Part • Counters are generated one time from IV • Use counters pool to parallel blocks encryption

  28. Authentication Part • The first multiplication is independent • Next multiplications depend on cipher text from encryption phase • Focus on parallelizing multiplication function

  29. Software and Hardware Implementation

  30. Software Implementation • The operation H  X is linear in the bits of X, over the field GF(2) • Can be exploited to make efficient-driven implementation • Tables computed for a particular value of H • Can reduce the storage requirements by using only the table M0

  31. Software Implementation

  32. Software Implementation

  33. Hardware Implementation input output switch A hardware implementation of GCM, showing the different data paths through the circuit.

  34. Hardware Implementation Pipelined high-speed implementations of AES-128 GCM

  35. References • NIST website http://csrc.nist.gov/index.html • Wikipedia website http://en.wikipedia.org • M.Dworkin, Recommendation for Block Cipher Modes of Operation: Methods and Techniques, NIST Special Publication 800-38A • M.Dworkin, “Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication”, NIST Special Publication 800-38D • David A. MacGrew, John Viega “The Galois/Counter Mode of Operation (GCM)”

More Related