All Topics  
Galois/Counter Mode

 

 
   Email Print
   Bookmark   Link
 

 

Galois/Counter Mode
 
 
  Topics Galois/Counter Mode Topic Home

GCM mode (Galois/Counter Mode) is a mode of operation
Block cipher modes of operation

In cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output , several modes of operation have been invented which allow block ciphers to provide confidentiality for messages of arbit...
 for symmetric key cryptographic block cipher
Block cipher

In cryptography, a block cipher is a symmetric key algorithm cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation....
s. It is an authenticated encryption
Authenticated encryption

Authenticated Encryption is a term used to describe encryption systems which simultaneously protect confidentiality and authenticity of communications....
 algorithm designed to provide both authentication
Authentication

Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true....
 and privacy
Privacy

Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively....
. GCM mode is defined for block ciphers with a block size of 128 bits. GMAC is an authentication-only variant of the GCM.

the name suggests, GCM mode combines the well-known counter mode
Block cipher modes of operation

In cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output , several modes of operation have been invented which allow block ciphers to provide confidentiality for messages of arbit...
 of encryption with the new Galois mode of authentication.






Discussion
Ask a question about 'Galois/Counter Mode'
Start a new discussion about 'Galois/Counter Mode'
Answer questions from other users
Full Discussion Forum



Encyclopedia


GCM mode (Galois/Counter Mode) is a mode of operation
Block cipher modes of operation

In cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output , several modes of operation have been invented which allow block ciphers to provide confidentiality for messages of arbit...
 for symmetric key cryptographic block cipher
Block cipher

In cryptography, a block cipher is a symmetric key algorithm cipher which operates on fixed-length groups of bits, termed blocks, with an unvarying transformation....
s. It is an authenticated encryption
Authenticated encryption

Authenticated Encryption is a term used to describe encryption systems which simultaneously protect confidentiality and authenticity of communications....
 algorithm designed to provide both authentication
Authentication

Authentication is the act of establishing or confirming something as authentic, that is, that claims made by or about the subject are true....
 and privacy
Privacy

Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively....
. GCM mode is defined for block ciphers with a block size of 128 bits. GMAC is an authentication-only variant of the GCM.

Encryption and authentication

Gcm
As the name suggests, GCM mode combines the well-known counter mode
Block cipher modes of operation

In cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output , several modes of operation have been invented which allow block ciphers to provide confidentiality for messages of arbit...
 of encryption with the new Galois mode of authentication. The key feature is that the Galois field multiplication used for authentication can be easily computed in parallel thus permitting higher throughput than the authentication algorithms that use chaining modes, like CBC. The GF(2128) field used is defined by the polynomial



The GHASH function is defined by



where the inputs A and C, and the variables Xi for i = 0, ..., m + n + 1 are defined as



GCM mode was designed by John Viega and David A. McGrew as an improvement to Carter-Wegman Counter CWC mode
CWC mode

In cryptography, CWC Mode is an AEAD block cipher modes of operation designed by Tadayoshi Kohno, John Viega and Doug Whiting. It combines the use of CTR mode for encryption with an efficient polynomial Carter-Wegman MAC....
.

GCM mode is used in the IEEE 802.1AE
IEEE 802.1AE

802.1AE is the IEEE Media Access Control Security standard which defines connectionless data confidentiality and integrity for media access independent protocols....
 (MACsec) Ethernet security, ANSI (INCITS
INCITS

The International Committee for Information Technology Standards, or INCITS , is an ANSI-accredited forum of Information technology developers....
) Fibre Channel
Fibre Channel

Fibre Channel, or FC, is a gigabit-speed network technology primarily used for storage networking. Fibre Channel is standardized in the Technical Committee T11 of the InterNational Committee for Information Technology Standards , an American National Standards Institute ?accredited standards committee....
 Security Protocols (FC-SP), IEEE P1619
IEEE P1619

IEEE P1619 is an Institute of Electrical and Electronics Engineers standardization project for encryption of stored data. It includes specifications for:...
.1 tape storage, and IETF
Internet Engineering Task Force

The Internet Engineering Task Force develops and promotes Internet standards, cooperating closely with the World Wide Web Consortium and International Organization for Standardization/International Electrotechnical Commission standard bodies and dealing in particular with standards of the TCP/IP and Internet protocol suite....
 IPsec
IPsec

Internet Protocol Security is a Protocol suite for securing Internet Protocol communications by authentication and encryption each packet #Example: IP packets of a data stream....
 standards.

On November 26, 2007 NIST announced the release of NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC making GCM and GMAC official standards.

Performance

GCM requires one block cipher operation and one 128-bit multiplication in the Galois field per each block (128 bit) of encrypted and authenticated data.

Tag size

The bit-length of the tag, denoted , is a security parameter. In general, may be any one of the following five values: 128, 120, 112, 104, or 96. For certain applications, may be 64 or 32, but the use of these two tag lengths constrains the length of the input data and the lifetime of the key. Appendix C in NIST SP 800-38D provides guidance for these constraints (for example, if and the maximal packet size is bytes, then the authentication decryption function should be invoked no more than times; if and the maximal packet size is bytes, then the authentication decryption function should be invoked no more than times).

As with any tag-based authentication mechanism, if the adversary chooses a -bit tag at random, it is expected to be correct for given data with probability . With GCM, however, an adversary can choose tags that increase this probability, proportional to the total length of the ciphertext and additional authenticated data (AAD). Consequently, GCM is not well-suited for use with short tag lengths or very long messages.

In particular, if denotes the total number of blocks in the encoding (the input to the GHASH function), then there is a method of constructing a targeted ciphertext forgery that is expected to succeed with a probability of approximately . Moreover, each successful forgery in this attack increases the probability that subsequent targeted forgeries will succeed, and leaks information about the hash subkey, . Eventually, may be compromised entirely and the authentication assurance is completely lost.

Independent of this attack, an adversary may attempt to systematically guess many different tags for a given input to authenticated decryption, and thereby increase the probability that one (or more) of them, eventually, will be accepted as valid. For this reason, the system or protocol that implements GCM should monitor and, if necessary, limit the number of unsuccessful verification attempts for each key.

Patents

According to the , GCM is unencumbered by patents.

See also

  • Block cipher modes of operation
    Block cipher modes of operation

    In cryptography, a block cipher operates on blocks of fixed length, often 64 or 128 bits. Because messages may be of any length, and because encrypting the same plaintext under the same key always produces the same output , several modes of operation have been invented which allow block ciphers to provide confidentiality for messages of arbit...


External links

  • RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
  • RFC 4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
  • works on P1619.1 standard; the latest draft can be obtained from the mailing list archives.
  • works on project.