Cryptography Reference
In-Depth Information
5.5.1.2 GCM Authenticated Encryption and Decryption Functions
The preceding functions give us the primitives we need to build the authenticated
encryption and authenticated decryption functions of GCM. As usual, we will first
define these functions for lists of bytes and then we will build on top of them the
higher-level functions that deal with files and strings. We need a function to convert
an integer to its binary form. This is accomplished by the function
integer2bits
below, which is entirely similar to
bytetobits
except that is not table-based and
hence is slower (this does not matter much as the function is only applied twice in
each authentication-encryption). The input parameters are
n
for the decimal integer
to be converted and
numbits
, which specifies the minimum number of bits so that
if the integer has fewer bits than this number, its binary expansion is completed
with leading zeros to make a list of length
numbits
(the function is used in the
functions
GCMAE
and
GCMAD
below to convert an integer to its 64-bit binary form).
The output of
integer2bits
is the list of bits in the binary representation of
the integer, given in big-endian order. In Maple version 12 and above, the built-in
function
Bits:-Split
may be used instead, but note that this function outputs
the bits in little-endian order.
> integer2bits := proc(n, numbits)
local l;
l := ListTools:-Reverse(convert(n, base, 2));
[0$(numbits-nops(l)), op(l)]
end proc:
We next give the authenticated encryption function for lists of bytes,
GCMAE
,
which requires four input lists: anAES key
k
, an IV (which is essentially a nonce), the
plaintext
P
and the additional authenticated data (AAD, herein called
A
). Moreover,
another input will be the byte length
t
of the tag to be produced by the function.
The expanded key is required several times here and this is why the key expansion
is invoked in this function and not in the lower-level one
GCTR
. There is an initial
counter which depends on the IV. In [70] it is recommended that implementations
restrict support to the length of 96 bits (12 bytes) for IVs, in order to promote
interoperability, efficiency and simplicity of design. Following this recommendation
we will adopt 12 as the byte length of the IV and, because of this, the initial counter
is just
J
=
IV
||
0
∧
31
This initial counter is used twice, the first time increased
by 1 (so that, in this case, it is
IV
||
||
1
.
0
∧
30
0 in bit string format) to encrypt the
plaintext
P
by means of
GCTR
, and the other to compute the tag using again
GCTR
and the output of the
GHASH
function previously computed. The output of
GCMAE
is a list consisting of two lists of bytes, the first corresponding to the ciphertext and
the second to the tag.
||
1
||
> GCMAE := proc(k::list, IV::list, P::list, A::list, t::posint)
local ek, H, C, c, a, u, v, S, T;
uses ListTools;
ek := KeyExpansion(k);
H := AESEncrypt(ek, Array(0 .. 3, 0 .. 3));
C := GCTR(ek, [op(IV), 0$3, 2], P);
c := 8*nops(C);
a := 8*nops(A);
