Hi,
Nikos Mavrogiannopoulos have been looking into support for Galois Counter Mode (GCM), see http://www.cryptobarn.com/papers/gcm-spec.pdf
My understanding of GCM is that the main point is a new MAC function which allows efficient hardware implementation. As far as I see, there's no clear advantage of using GCM instead of plain CTR mode combined with the same MAC function (applied to the plaintext).
For Nettle, I think the first step ought to be to properly support the MAC function, GMAC. The most fundamental difference to other MAC functions is that it takes two input strings (besides the key). When used as a plain MAC, the second input is empty, while when used with GCM, the first input is auxillary data to be authenticated, and the second input is the cryptotext.
Some questions:
* Naming: Is "gmac" a good enough name? Or "ghash" (the name of the primitive which takes a key and two inputs, in the paper)? Or do we need something more verbose, like galois_mac or gmac128 or so?
* Specification: It's not entirely clear to me how the spec is to be interpreted when one of the input strings is empty. The most reasonable interpretation would be that there should be zero blocks to process (n or m equal to zero). This requires some bending of the notation in equation (2), for example, with m = 0, n = 1, we should have
X_0 = 0 X_1 = C_1^* · H X_2 = (X_1 + (0 || len(C))) · H
and with m = 1, n = 0,
X_0 = 0 X_1 = A_1^* · H X_2 = (X_1 0 (len(A) || 0)) · H
Do you agree?
* Interface: I think the basic use case with empty second input should be just like other MAC:s,
struct gmac_ctx;
/* Key size fixed to GMAC_KEY_SIZE == 16 */ void gmac_set_key(struct gmac_ctx *ctx, const uint8_t *key);
void gmac_update(struct gmac_ctx *ctx, unsigned length, const uint8_t *data);
void gmac_digest(struct gmac_ctx *ctx, unsigned length, uint8_t *digest);
The context struct and the set_key function is essential to be able to do any optimizations using key-dependant tables.
But then we need a function to mark the end of the first input and the start of the second. Name for that one?
void gmac_next(struct gmac_ctx *ctx);
This will pad the current input to a block boundary, and switch to using a different length counter.
Regards, /Niels