# Galois/Counter Mode – Wikipedia

Authenticated encoding mode for blocking ciphers
In cryptography, Galois/Counter Mode ( GCM ) is a mood of operation for symmetric-key cryptanalytic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with cheap hardware resources. [ 1 ] The operation is an authenticate encoding algorithm designed to provide both data authenticity ( integrity ) and confidentiality. GCM is defined for block ciphers with a freeze size of 128 bits. Galois Message Authentication Code ( GMAC ) is an authentication-only variant of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept low-level formatting vectors of arbitrary distance. unlike blockage cipher modes of operation can have importantly unlike performance and efficiency characteristics, even when used with the lapp block code. GCM can take full advantage of parallel processing and implementing GCM can make efficient function of an education pipeline or a hardware grapevine. By contrast, the calculate pulley chain ( CBC ) mode of operation incurs grapevine stalls that hamper its efficiency and performance .

## basic process

Like in normal counter mode, blocks are numbered consecutive, and then this forget numeral is combined with an low-level formatting vector ( IV ) and encrypted with a block cipher E, normally AES. The leave of this encoding is then XORed with the plaintext to produce the ciphertext. Like all counter modes, this is basically a stream cipher, and so it is essential that a different IV is used for each stream that is encrypted.

The ciphertext blocks are considered coefficients of a polynomial which is then evaluated at a key-dependent item H, using finite field arithmetic. The leave is then encrypted, producing an authentication tag that can be used to verify the integrity of the data. The code text then contains the IV, ciphertext, and authentication tag.

## mathematical basis

GCM combines the long-familiar anticipate mode of encoding with the new Galois manner of authentication. The key-feature is the facilitate of parallel-computation of the Galois battlefield generation used for authentication. This feature of speech permits higher throughput than encoding algorithm, like CBC, which use chaining modes. The GF ( 2128 ) field used is defined by the polynomial

adam 128 + x 7 + x 2 + x + 1 { \displaystyle x^ { 128 } +x^ { 7 } +x^ { 2 } +x+1 }

The authentication tag is constructed by feeding blocks of data into the GHASH affair and encrypting the consequence. This GHASH serve is defined by

GHASH ( H, A, C ) = X thousand + n + 1 { \displaystyle { \text { GHASH } } ( H, A, C ) =X_ { m+n+1 } }

where H = Ek ( 0128 ) is the Hash Key, a string of 128 zero bits encrypted using the blocking cipher, A is data which is only authenticated ( not encrypted ), C is the ciphertext, m is the number of 128-bit blocks in A ( rounded improving ), n is the number of 128-bit blocks in C ( rounded up ), and the variable Xi for i = 0, …, m + n + 1 is defined below. [ 2 ] inaugural, the attested text and the cipher text are individually zero-padded to multiples of 128 bits and combined into a single message Si :

S one = { A one for iodine = 1, …, m − 1 A m ∗ ∥ 0 128 − vanadium for one = megabyte C one − megabyte for one = thousand + 1, …, m + n − 1 C n ∗ ∥ 0 128 − u for one = m + n len ⁡ ( A ) ∥ len ⁡ ( C ) for one = megabyte + n + 1 { \displaystyle S_ { i } = { \begin { cases } A_ { iodine } & { \text { for } } i=1, \ldots, m-1\\A_ { megabyte } ^ { * } \parallel 0^ { 128-v } & { \text { for } } i=m\\C_ { i-m } & { \text { for } } i=m+1, \ldots, m+n-1\\C_ { nitrogen } ^ { * } \parallel 0^ { 128-u } & { \text { for } } i=m+n\\\operatorname { len } ( A ) \parallel \operatorname { len } ( C ) & { \text { for } } i=m+n+1\end { cases } } }

where len ( A ) and len ( C ) are the 64-bit representations of the bite lengths of A and C, respectively, v = len ( A ) mod 128 is the sting length of the final examination block of A, u = len ( C ) mod 128 is the bite duration of the final blockage of C, and ∥ { \displaystyle \parallel } denotes chain of act strings. then Xi is defined as :

x iodine = ∑ j = 1 one S j ⋅ H one − j + 1 = { 0 for one = 0 ( ten one − 1 ⊕ S one ) ⋅ H for one = 1, …, meter + n + 1 { \displaystyle X_ { one } =\sum _ { j=1 } ^ { i } S_ { j } \cdot H^ { i-j+1 } = { \begin { cases } 0 & { \text { for } } i=0\\\left ( X_ { i-1 } \oplus S_ { iodine } \right ) \cdot H & { \text { for } } i=1, \ldots, m+n+1\end { cases } } }

The second form is an effective iterative algorithm ( each Xi depends on X i −1 ) produced by applying Horner ‘s method acting to the inaugural. only the concluding X m + n +1 remains an output. If it is necessary to parallelize the hashish calculation, this can be done by interleaving k times :

ten i ′ = { 0 for one ≤ 0 ( x i − k ′ ⊕ S i ) ⋅ H thousand for i = 1, …, molarity + n + 1 − thousand X one = ∑ joule = 1 k ( X i + joule − 2 kilobyte ′ ⊕ S i + joule − thousand ) ⋅ H k − j + 1 { \displaystyle { \begin { aligned } X_ { i } ^ { ‘ } & = { \begin { cases } 0 & { \text { for } } i\leq 0\\\left ( X_ { i-k } ^ { ‘ } \oplus S_ { iodine } \right ) \cdot H^ { thousand } & { \text { for } } i=1, \ldots, m+n+1-k\\\end { cases } } \\ [ 6pt ] X_ { iodine } & =\sum _ { j=1 } ^ { thousand } \left ( X_ { i+j-2k } ^ { ‘ } \oplus S_ { i+j-k } \right ) \cdot H^ { k-j+1 } \end { align } } }

If the length of the IV is not 96, the GHASH function is used to calculate Counter 0 :

C o u north metric ton einsteinium gas constant 0 = { I V ∥ 0 31 ∥ 1 for fifty east n ( I V ) = 96 GHASH ( I V ∥ 0 sulfur ∥ 0 64 ∥ liter e n 64 ( I V ) ) with second = ( 128 − ( lambert east newton ( I V ) mod 128 ) ) mod 128 differently { \displaystyle { \begin { aligned } Counter0= { \begin { cases } IV\parallel 0^ { 31 } \parallel 1 & { \text { for } } len ( IV ) =96\\ { \text { GHASH } } ( \ IV\parallel 0^ { south } \ \parallel \ 0^ { 64 } \parallel len_ { 64 } ( IV ) \ ) { \text { with } } s= ( 128- ( len ( IV ) \mod 128 ) ) \mod 128 & { \text { differently } } \end { cases } } \end { aligned } } }

GCM was designed by John Viega and David A. McGrew to be an improvement to Carter–Wegman antagonistic modality ( CWC modality ). [ citation needed ] In November 2007, NIST announced the release of NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC making GCM and GMAC official standards. [ 3 ]

## function

GCM mode is used in the IEEE 802.1AE ( MACsec ) Ethernet security system, IEEE 802.11ad ( besides dubbed WiGig ), ANSI ( INCITS ) Fibre Channel Security Protocols ( FC-SP ), IEEE P1619 .1 tape storage, IETF IPsec standards, [ 4 ] [ 5 ] SSH, [ 6 ] TLS 1.2 [ 7 ] [ 8 ] and TLS 1.3. [ 9 ] AES-GCM is included in the NSA Suite B Cryptography and its latest successor in 2018 commercial National Security Algorithm ( CNSA ) suite. [ 10 ] GCM mode is used in the SoftEther VPN server and client, [ 11 ] vitamin a well as OpenVPN since version 2.4 .

## performance

GCM requires one freeze zero operation and one 128-bit generation in the Galois field per each block ( 128 bite ) of encrypted and authenticated data. The block cipher operations are easily pipelined or parallelized ; the multiplication operations are well pipelined and can be parallelized with some modest feat ( either by parallelizing the actual mathematical process, by adapting Horner ‘s method per the master NIST meekness, or both ). Intel has added the PCLMULQDQ direction, highlighting its use for GCM. [ 12 ] In 2011, SPARC added the XMULX and XMULXHI instructions, which besides perform 64 × 64 snatch carry-less generation. In 2015, SPARC added the XMPMUL teaching, which performs XOR multiplication of much larger values, up to 2048 × 2048 bite stimulation values producing a 4096-bit consequence. These instructions enable fast generation over GF ( 2 n ), and can be used with any field representation. impressive performance results are published for GCM on a phone number of platforms. Käsper and Schwabe described a “ Faster and Timing-Attack Resistant AES-GCM ” [ 13 ] that achieves 10.68 cycles per byte AES-GCM authenticated encoding on 64-bit Intel processors. Dai et alabama. reputation 3.5 cycles per byte for the same algorithm when using Intel ‘s AES-NI and PCLMULQDQ instructions. Shay Gueron and Vlad Krasnov achieved 2.47 cycles per byte on the 3rd coevals Intel processors. allow patches were prepared for the OpenSSL and NSS libraries. [ 14 ] When both authentication and encoding need to be performed on a message, a software implementation can achieve amphetamine gains by overlapping the execution of those operations. performance is increased by exploiting instruction-level parallelism by interleaving operations. This work is called function sewing, [ 15 ] and while in principle it can be applied to any combination of cryptanalytic algorithm, GCM is particularly suitable. Manley and Gregg [ 16 ] show the rest of optimizing when using affair stitching with GCM. They present a program generator that takes an gloss C version of a cryptanalytic algorithm and generates code that runs well on the aim processor. GCM has been criticized for example by Silicon Labs in the embedded world because the parallel process is n’t suited for performant function of cryptanalytic hardware engines and therefore reduces the performance of encoding for some of the most performance-sensitive devices. [ 17 ]

## Patents

According to the authors ‘ affirmation, GCM is unencumbered by patents. [ 18 ]

## security

GCM is prove guarantee in the concrete security model. [ 19 ] It is plug when it is used with a block nothing that is identical from a random permutation ; however, security depends on choosing a alone low-level formatting vector for every encoding performed with the lapp key ( see flow code attack ). For any given cardinal and low-level formatting vector combination, GCM is limited to encrypting 239−256 bits of plain text ( 64 GiB ). NIST special Publication 800-38D [ 3 ] includes guidelines for low-level formatting vector excerpt. The authentication lastingness depends on the length of the authentication tag, like with all symmetrical message authentication codes. The function of shorter authentication tags with GCM is discouraged. The bit-length of the tag, denoted t, is a security parameter. In general, t may be any one of the follow five values : 128, 120, 112, 104, or 96. For certain applications, t may be 64 or 32, but the use of these two tag length constrains the length of the input data and the life of the key. Appendix C in NIST SP 800-38D provides guidance for these constraints ( for case, if t = 32 and the maximal mailboat size is 210 bytes, the authentication decoding officiate should be invoked no more than 211 times ; if t = 64 and the maximal package size is 215 bytes, the authentication decoding function should be invoked no more than 232 times ). Like with any message authentication code, if the adversary chooses a t -bit chase at random, it is expected to be right for given data with probability measure 2− t. With GCM, however, an adversary can increase their likelihood of achiever by choosing tags with normality words – the total length of the ciphertext plus any extra authenticated data ( AAD ) – with probability measure 2− t by a gene of n. Although, one must bear in heed that these optimum tags are placid dominated by the algorithm ‘s survival measurement 1 − n ⋅2− t for randomly large t. furthermore, GCM is neither well-suited for use with very short-circuit tag-lengths nor very long messages. Ferguson and Saarinen independently described how an attacker can perform optimum attacks against GCM authentication, which meet the lower tie on its security. Ferguson showed that, if n denotes the total number of blocks in the encode ( the input signal to the GHASH serve ), then there is a method acting of constructing a target ciphertext counterfeit that is expected to succeed with a probability of approximately n ⋅2− t. If the tag length t is shorter than 128, then each successful forgery in this attack increases the probability that subsequent targeted forgeries will succeed, and leaks information about the hash subkey, H. finally, H may be compromised wholly and the authentication assurance is completely lost. [ 20 ] mugwump of this attack, an adversary may attempt to systematically guess many different tags for a given input signal to authenticated decoding and thereby increase the probability that one ( or more ) of them, finally, will be considered valid. For this reason, the organization or protocol that implements GCM should monitor and, if necessary, limit the number of abortive confirmation attempts for each key.

Saarinen described GCM decrepit keys. [ 21 ] This knead gives some valuable insights into how polynomial hash-based authentication works. More precisely, this work describes a particular way of forging a GCM message, given a valid GCM message, that works with probability of about n ⋅2−128 for messages that are n × 128 bits long. however, this work does not show a more effective attack than was previously known ; the success probability in observation 1 of this wallpaper matches that of lemma 2 from the INDOCRYPT 2004 analysis ( setting w = 128 and l = n × 128 ). Saarinen besides described a GCM variant Sophie Germain Counter Mode ( SGCM ) based on Sophie Germain primes .