Galois/Counter Mode - Encryption and Authentication

Encryption and Authentication

As the name suggests, GCM mode combines the well-known counter mode of encryption with the new Galois mode of authentication. The key feature is that the Galois field multiplication used for authentication can be easily computed in parallel thus permitting higher throughput than the authentication algorithms that use chaining modes, like CBC. The GF(2128) field used is defined by the polynomial

The GHASH function is defined by

where H is a string of 128 zeros encrypted using the block cipher, A is data which is only authenticated (not encrypted), C is the ciphertext, m is the number of 128 bit blocks in A, n is the number of 128 bit blocks in C (the final blocks of A and C need not be exactly 128 bits), and the variable X_i for i = 0, ..., m + n + 1 is defined as

$X_i = \begin{cases} 0 & \text{for }i=0 \\ (X_{i-1} \oplus A_i) \cdot H & \text{for }i=1,\ldots, m-1 \\ (X_{m-1} \oplus (A^*_m\lVert0^{128-v})) \cdot H & \text{for }i=m \\ (X_{i-1} \oplus C_{i-m}) \cdot H & \text{for }i=m+1,\ldots, m+n-1 \\ (X_{m+n-1} \oplus (C^*_n\lVert0^{128-u})) \cdot H & \text{for }i=m+n \\ (X_{m+n} \oplus (\operatorname{len}(A)\lVert \operatorname{len}(C))) \cdot H & \text{for }i=m+n+1 \\ \end{cases}$

where v is the bit length of the final block of A, u is the bit length of the final block of C, and denotes concatenation of bit strings.

GCM mode was designed by John Viega and David A. McGrew as an improvement to Carter–Wegman Counter CWC mode.

On November 26, 2007 NIST announced the release of NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC making GCM and GMAC official standards.

Read more about this topic: Galois/Counter Mode