an introduction to authenticated encryption - iSEC Partners
an introduction to authenticated encryption - iSEC Partners
an introduction to authenticated encryption - iSEC Partners
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
M 1<br />
M 2<br />
•H<br />
•H<br />
Y 1<br />
Y 2<br />
. . .<br />
M n<br />
•H<br />
Y n<br />
Figure 3: GHASH Function<br />
are then encrypted <strong>an</strong>d XORed with each block of the message. The final result of these operations is returned as<br />
the encrypted string C.<br />
ICB inc CT R 2<br />
. . . CT R n−1 inc CT R n<br />
E k E k E k E k<br />
M 1 M 2 M n−1 M ∗ n<br />
C 1 C 2<br />
. . . C n−1 C n<br />
Figure 4: GCTR Function<br />
The full GCM operation c<strong>an</strong> be viewed as the superimposing of GCTR <strong>an</strong>d GHASH as described above. The inputs<br />
are the initialization vec<strong>to</strong>r IV, the key K, the message M (where the last block is represented by Mn ∗ which may not<br />
be a full block length) <strong>an</strong>d <strong>an</strong>y authentication data A. The subkey H is calculated <strong>an</strong>d the initial counter block (ICB)<br />
is either the IV if the IV length is 96 bits, or the GHASH of the IV if the IV length is <strong>an</strong>y value other th<strong>an</strong> 96 bits.<br />
The counter is incremented <strong>an</strong>d each plaintext block is encrypted with the counter value. Each ciphertext block is<br />
then multiplied by H <strong>an</strong>d then XORed with the next block. The exception <strong>to</strong> this is that the <strong>encryption</strong> of the first<br />
counter which is XORed with the last GHASH operation <strong>to</strong> create the authentication tag. The authentication only<br />
data A is mixed in a similar m<strong>an</strong>ner. Decryption follows in the usual m<strong>an</strong>ner, where the encrypted counter values<br />
are created <strong>an</strong>d XORed with the ciphertext <strong>to</strong> produce the original message <strong>an</strong>d then the GHASH in created.<br />
GCM has the same requirements for uniqueness of the IV (i.e., the counter value) as traditional stream ciphers<br />
<strong>an</strong>d counter modes. Depending on the length of the IV either a counter or pseudo r<strong>an</strong>dom number genera<strong>to</strong>r<br />
based construction c<strong>an</strong> be used for generation, but must never repeat. As is the case with other counter modes,<br />
repeating the counter value for two messages breaks the confidentiality of those messages (i.e., <strong>an</strong> attacker c<strong>an</strong><br />
learn M1 ⊕ M2); however, Ferguson <strong>an</strong>d Joux have shown GCM suffers a more critical break in that a repeated IV<br />
c<strong>an</strong> lead <strong>to</strong> leakage of the authentication key.[12, 13] In addition, the use of a short authentication tag c<strong>an</strong> increase<br />
HTTPS://WWW.ISECPARTNERS.COM 6/10