Galois/Counter Mode

From Wikipedia, the free encyclopedia

GCM mode (Galois/Counter Mode) is a mode of operation for symmetric key cryptographic block ciphers. It is an authenticated encryption algorithm designed to provide both authentication and privacy. GCM mode is defined for block ciphers with a block size of 128 bits. GMAC is an authentication-only variant of the GCM.

Contents

[edit] Encryption and authentication

GCM decryption operation
GCM decryption operation

As the name suggests, GCM mode combines the well-known counter mode of encryption with the new Galois mode of authentication. The key feature is that the Galois field multiplication used for authentication can be easily computed in parallel thus permitting higher throughput than the authentication algorithms that use chaining modes, like CBC. The GF(2128) field used is defined by the polynomial x128 + x7 + x2 + x + 1.

The GHASH function is defined by GHASH(H,A,C) = Xm + n + 1, where the inputs A and C, and the variables Xi for i = 0,...,m + n + 1 are defined as[1] X_i = \begin{cases} 0 & \mbox{for}~i=0 \\ (X_{i-1} \oplus A_i) \cdot H & \mbox{for}~i=1,\ldots, m-1 \\ (X_{m-1} \oplus (A^*_m\lVert0^{128-v})) \cdot H & \mbox{for}~i=m \\ (X_{i-1} \oplus C_{i-m}) \cdot H & \mbox{for}~i=m+1,\ldots, m+n-1 \\ (X_{m+n-1} \oplus (C^*_m\lVert0^{128-u})) \cdot H & \mbox{for}~i=m+n \\ (X_{m+n} \oplus (len(A)\lVert len(C))) \cdot H & \mbox{for}~i=m+n+1 \\ \end{cases}

GCM mode was designed by John Viega and David A. McGrew as an improvement to Carter-Wegman Counter CWC mode.

GCM mode is used in the IEEE 802.1AE (MACsec) Ethernet security, ANSI (INCITS) Fibre Channel Security Protocols (FC-SP), IEEE P1619.1 tape storage, and IETF IPSec standards.

On November 26, 2007 NIST announced the release of NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC making GCM and GMAC official standards.

[edit] Performance

GCM requires one block cipher operation and one 128-bit multiplication in the Galois field per each block (128 bit) of encrypted and authenticated data.

[edit] Patents

According to the authors' statement, GCM is unencumbered by patents.

[edit] See also

[edit] External links

[edit] Notes

  1. ^ McGrew, David A. & Viega, John; : "The Galois/Counter Mode of Operation (GCM)", page 5. 2005

[edit] References

  • NIST Special Publication 800-38D (November, 2007) Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) for Confidentiality and Authentication
  • McGrew, David A. & Viega, John; : "The Galois/Counter Mode of Operation (GCM)", page 5. 2005
v  d  e
 
Block ciphers

Common algorithms: AES | Blowfish | DES | Triple DES | Serpent | Twofish

Other algorithms: 3-Way | ABC | Akelarre | Anubis | ARIA | BaseKing | BassOmatic | BATON | BEAR and LION | C2 | Camellia | CAST-128 | CAST-256 | CIKS-1 | CIPHERUNICORN-A | CIPHERUNICORN-E | CLEFIA | CMEA | Cobra | COCONUT98 | Crab | CRYPTON | CS-Cipher | DEAL | DES-X | DFC | E2 | FEAL | FEA-M | FROG | G-DES | GOST | Grand Cru | Hasty Pudding Cipher | Hierocrypt | ICE | IDEA | IDEA NXT | Intel Cascade Cipher | Iraqi | KASUMI | KeeLoq | KHAZAD | Khufu and Khafre | KN-Cipher | Ladder-DES | Libelle | LOKI97 | LOKI89/91 | Lucifer | M6 | M8 | MacGuffin | Madryga | MAGENTA | MARS | Mercy | MESH | MISTY1 | MMB | MULTI2 | MultiSwap | New Data Seal | NewDES | Nimbus | NOEKEON | NUSH | Q | RC2 | RC5 | RC6 | REDOC | Red Pike | S-1 | SAFER | SAVILLE | SC2000 | SEED | SHACAL | SHARK | Skipjack | SMS4 | Spectr-H64 | Square | SXAL/MBAL | TEA | Treyfer | UES | Xenon | xmx | XTEA | XXTEA | Zodiac

Standardization: AES process | CRYPTREC | NESSIE
v  d  e
 
Cryptographic hash functions and Message authentication codes (MACs)

Hash algorithms: Gost-Hash | HAS-160 | HAVAL | MDC-2 | MD2 | MD4 | MD5 | N-Hash | RadioGatún | RIPEMD | SHA family | Snefru | Tiger | WHIRLPOOL | crypt(3) DES

MAC algorithms: DAA | CBC-MAC | HMAC | OMAC/CMAC | PMAC | UMAC | Poly1305-AES

Authenticated encryption modes: CCM | CWC | EAX | GCM | OCB
v  d  e
 
Cryptography