GCM mode and GMAC
nisse at lysator.liu.se
Wed Feb 2 22:15:50 CET 2011
Nikos Mavrogiannopoulos have been looking into support for Galois
Counter Mode (GCM), see http://www.cryptobarn.com/papers/gcm-spec.pdf
My understanding of GCM is that the main point is a new MAC function
which allows efficient hardware implementation. As far as I see, there's
no clear advantage of using GCM instead of plain CTR mode combined with
the same MAC function (applied to the plaintext).
For Nettle, I think the first step ought to be to properly support the
MAC function, GMAC. The most fundamental difference to other MAC
functions is that it takes two input strings (besides the key). When
used as a plain MAC, the second input is empty, while when used with
GCM, the first input is auxillary data to be authenticated, and the
second input is the cryptotext.
* Naming: Is "gmac" a good enough name? Or "ghash" (the name of the
primitive which takes a key and two inputs, in the paper)? Or do we
need something more verbose, like galois_mac or gmac128 or so?
* Specification: It's not entirely clear to me how the spec is to be
interpreted when one of the input strings is empty. The most
reasonable interpretation would be that there should be zero blocks
to process (n or m equal to zero). This requires some bending of the
notation in equation (2), for example, with m = 0, n = 1, we should
X_0 = 0
X_1 = C_1^* · H
X_2 = (X_1 + (0 || len(C))) · H
and with m = 1, n = 0,
X_0 = 0
X_1 = A_1^* · H
X_2 = (X_1 0 (len(A) || 0)) · H
Do you agree?
* Interface: I think the basic use case with empty second input should
be just like other MAC:s,
/* Key size fixed to GMAC_KEY_SIZE == 16 */
gmac_set_key(struct gmac_ctx *ctx, const uint8_t *key);
gmac_update(struct gmac_ctx *ctx,
unsigned length, const uint8_t *data);
gmac_digest(struct gmac_ctx *ctx,
unsigned length, uint8_t *digest);
The context struct and the set_key function is essential to be able
to do any optimizations using key-dependant tables.
But then we need a function to mark the end of the first input and
the start of the second. Name for that one?
gmac_next(struct gmac_ctx *ctx);
This will pad the current input to a block boundary, and switch to
using a different length counter.
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
More information about the nettle-bugs