Cryptography Reference
In-Depth Information
construction is similar to UMAC, for which the forgery success probability with this
hash function is no greater than
t
2
128
, and the authors use the security reduction
for the latter mode to derive a security reduction for GMAC. In the same reference
a security reduction for GCM encryption is also given.
In order to implement GHASH in Maple, we will define the field
/
F
2
128
by means
of the package
GF
; the irreducible polynomial used is the same as the one used
for CMAC, namely
x
128
x
7
x
2
1. A technical detail that must be taken
into account is that in NIST's implementation of GCM, the 128-bit (16-byte) blocks
are identified with the elements of
+
+
+
x
+
F
2
128
by using the little-endian convention, i.e,
a
127
x
127
(while, for example, the analogous correspondence used in CMAC uses the big-
endian convention).We start by initializing the field inMaple and by giving a function
for conversion of 128-bit blocks to elements of the field:
the block
[
a
0
,...,
a
127
]
corresponds to the polynomial
a
0
+
a
1
x
+
...
+
> G := GF(2, 128, xˆ128+xˆ7+xˆ2+x+1);
G := Z[2][x]'/'<xˆ128+xˆ7+xˆ2+x+1>
> blocktopoly := bl -> modp1((':-ConvertIn')(bl, x), 2):
We now give the
GHASH
function. The inputs are the hash subkey given as a
128-bit list
s
and a bit list
l
whose length is a multiple of 128, i.e., equal to
128t
.
The output is a 128-bit block given as a list.
> GHASH := proc(s::list, l::list)
local L, t, Y, p, q, i, u;
L := [ListTools:-LengthSplit(l, 128)];
t := nops(L);
Y := [0$128];
p := blocktopoly(s);
q := blocktopoly(Y);
foritotdo
q := G:-'*'(G:-'+'(q, blocktopoly(L[i])), p)
end do;
u := modp1((':-ConvertOut')(q), 2);
[op(u), 0$(128-nops(u))]
end proc:
Another primitive of GCM is the function
GCTR
, a variation of CTR mode which
is used for encryption. The inputs are an AES expanded key
ek
, an initial counter
block
ICB
and a message
X
, all of them given as lists of bytes. The incrementing
function used for the counter is the previously defined function
inc32
, as specified
in [70]. The output is the ciphertext given as a list of bytes.
> GCTR := proc(ek::list, ICB::list, X::list)
local st, n, CB, i;
ifX=[]then return [] end if;
st := [ListTools:-LengthSplit(X, 16)];
n := nops(st);
st := Array(1 .. n, st);
CB := Array(0 .. 3, 0 .. 3, (i, j) -> ICB[i+4*j+1]);
foritondo
st[i] := BitXorAL(AESEncrypt(ek, CB), st[i]);
inc32(CB)
end do;
[seq(op(st[i]), i=1..n)]
end proc:
