Cryptography Reference
In-Depth Information
in networks with data rates in the range of Gigabits per second, encryption modes
that can be parallelized are very desirable.
5.1.6 Galois Counter Mode (GCM)
The
Galois Counter Mode (GCM)
is an encryption mode which also computes a
message authentication code (MAC) [160]. A MAC provides a cryptographic check-
sum that is computed by the sender, Alice, and appended to the message. Bob also
computes a MAC from the message and checks whether his MAC is the same as
the one computed by Alice. This way, Bob can make sure that (1) the message was
really created by Alice and (2) that nobody tampered with the ciphertext during
transmission. These two properties are called message authentication and integrity,
respectively. Much more about MACs is found in Chap. 12. We presented a slightly
simplified version of the GCM mode in the following.
GCM protects the confidentiality of the plaintext
x
by using an encryption in
counter mode. Additionally, GCM protects not only the authenticity of the plaintext
x
but also the authenticity of a string
AAD
called
additional authenticated data
.
This authenticated data is, in contrast to the plaintext, left in clear in this mode of
operation. In practice, the string
AAD
might include addresses and parameters in a
network protocol.
The GCM consists of an underlying block cipher and a Galois field multiplier
with which the two GCM functions
authenticated encryption
and
authenticated de-
cryption
are realized. The cipher needs to have a block size of 128 bits such as AES.
On the sender side, GCM encrypts data using the Counter Mode (CTR) followed by
the computation of a MAC value. For encryption, first an initial counter is derived
from an IV and a serial number. Then the initial counter value is incremented, and
this value is encrypted and XORed with the first plaintext block. For subsequent
plaintexts, the counter is incremented and then encrypted. Note that the underlying
block cipher is only used in encryption mode. GCM allows for precomputation of
the block cipher function if the initialization vector is known ahead of time.
For authentication, GCM performs a chained Galois field multiplication. For ev-
ery plaintext
x
i
an intermediate authentication parameter
g
i
is derived.
g
i
is com-
puted as the XOR sum of the current ciphertext
y
i
and
g
i
, and multiplied by the
constant
H
.Thevalue
H
is a hash subkey which is generated by encryption of the
all-zero input with the block cipher. All multiplications are in the 128-bit Galois
field
GF
(2
128
) with the irreducible polynomial
P
(
x
)=
x
128
+
x
7
+
x
2
+
x
+ 1. Since
only one multiplication is required per block cipher encryption, the GCM mode adds
very little computational overhead to the encryption.
