Should NIST Develop
an Additional Version of GCM?
July 26, 2007
Morris Dworkin, Mathematician
Security Technology Group
dworkin@nist.gov
Some of the Submissions to NIST
for Authenticated Encryption
•
•
•
Patented, One-Pass, Parallelizable Modes
— XECB, etc.
Gligor, Donescu
— IAPM
Jutla
— OCB
Rogaway
Other Parallelizable Modes, One-Pass + Universal Hash
— GCM
McGrew, Viega
— CWC
Kohno, Viega, Whiting
Two-Pass Modes
— CCM
Housley, Whiting, Ferguson
— EAX
Bellare, Rogaway, Wagner
Galois/Counter Mode (GCM)
•
Designed, analyzed, submitted by McGrew & Viega
•
Authenticated encryption with associated data (AEAD)
— Counter mode encryption using approved block cipher
— Authentication using universal hash function in Galois field
— Requires 96-bit initialization vectors (IVs) that do not repeat for
the life of the key
•
Performance
— High-speed (10Gbit/sec) hardware implementation
— Good in software, given table lookups
GCM Authenticated Encryption
IV
P
J0
inc
A
0v
GCTRK
0u
C
[len(A)]64
[len(C)]64
GHASHH
0128
GCTRK
CIPHK
MSBt
H
T
GCM Authenticated Decryption
P
IV
J0
inc
GCTRK
0v
A
T
0u
C
if 
FAIL
[len(A)]64
[len(C)]64
GHASHH
0128
GCTRK
CIPHK
MSBt
H
T
GCM GCTR Function
ICB
inc
CB2

Y1
CBn-1
CIPHK
CIPHK
X1
…
X2
CBn
CIPHK
CIPHK

Y2
inc
Xn-1
…

Yn-1
Xn*

Y n*
GHASH Function
(NIST version, w/o length encodings)
X1
X2
...
Xm


•H
•H
•H
Y1
Y2
Ym
In effect, the GHASH function calculates
X1Hm  X2Hm-1  ...  Xm-1H2  XmH.
Summary of the Development of
NIST Special Publication 800-38D
•
Announcement of selection of GCM over CWC (2005)
•
First draft SP 800-38D (spring of 2006)
— Restricts range of tag lengths to 12-16 bytes
•
Joux’s public comment (June, 2006)
— Practical attack if initialization vector (IV) is repeated for a key
— Suggests design modifications
•
Second draft SP 800-38D (July, 2007)
— Elaborates on IV requirements
— Removes support for variable-length IVs
Joux’s Attack on Repeating IVs
•
Assumes IVs are repeated for distinct encryption inputs
— Violation of GCM requirements (implementation error)
— Adversary needs only a couple of pairs of IV-sharing ciphertexts
•
Adversary can probably derive authentication subkey
•
If so, authentication assurance is essentially lost
— Valid tags can be found for arbitrary ciphertext, reusing old IV
— Counter mode “malleability” can be exploited
• Given one known plaintext-ciphertext pair, and reusing its
IV, adversary can choose any bits to “flip”
•
Confidentiality apparently not affected
Elaboration on IV Requirements in
Second Draft NIST SP 800-38D
•
Two IV constructions
— Deterministic assurance of uniqueness
— Random bit generator, up to threshold of 2-32 over life of key
•
Implementation considerations for designer and implementer
— E.g., recovery from power loss
•
For validation against FIPS 140-2
— IV generation must be within cryptographic boundary of module
— IV is a critical security parameter until invoked (for encryption)
— Documentation requirements
Develop a “Misuse Resistant” Variant?
•
Joux suggests modifications
•
NIST would like feedback on whether to develop a variant of
GCM that resists Joux’s attack
•
Pros
— Allow relaxation of IV validation
— Increase general purpose usability
•
Cons
— Reduce performance, especially in hardware
— Algorithm proliferation
•
NIST intends to finalize the original spec independently
Joux’s Suggested Modifications to
GCM Authenticated Encryption
K
Strong KDF
IV
K2
K1
P
J0
inc
A
K1
GCTR
0v
0u
C
GHASH
K4
[len(A)]64
K3
[len(C)]64
0128
GCTR
CIPH
CIPHK
MSBt
H
T
K2
K3
K4
Hardware Performance (bits/cycle)
Assuming Single AES Pipeline
Bytes
16
20
40
44
64
128
GCM
64.0
71.1
91.4
93.9
102
114
CWC
10.7
13.1
23.7
25.6
34.1
53.9
OCB
5.82
7.19
13.6
14.8
20.5
35.3
Bytes
256
552
576
1024
1500
8192
IPI
GCM
120
124
124
126
127
128
77.7
CWC
75.9
97.0
98.0
109
115
125
35.3
OCB
55.4
79.6
80.8
96.4
105
123
22.8
Internet Performance Index (IPI)
•
Table taken from “The Security and Performance of the
Galois/Counter Mode (GCM) of Operation (Full Version)”
•
Packet distribution f(s)=the expected fraction of bytes that are
carried in packets of size s.
•
Using data from paper of Claffy, Miller Thompson (1998):
f(1500)=0.6, f(576)=0.2, f(552)=0.15, f(44)=0.05
•
IPI=the expected number of bits processed per clock cycle for
this packet distribution.
•
“Useful indicator of the performance of a crypto module that
protects IP traffic using e.g. ESP in tunnel mode…”
GCM in Hardware:
No Stalls in the AES Pipeline
R1
R2
R3
R4
R5
R6
R7
R8
… P4 P3 P2 P1
T
P1
T
R9
R10
P2 P1
The grey message has three counter blocks
to encrypt: two for its plaintext blocks, and one for
the output of the GHASH function.
The counter blocks for the one-block yellow
message and the multi-block blue message follow
directly in the pipeline.
Software Performance Comparison
(Mbps on 1 GHz processor)
Bytes
GCM
64K
GCM
4K
GCM
256
OCB
CWC
EAX
CCM
CBCHMAC
16
136
116
88.4
89.5
45.7
46.0
91.3
6.3
128
263
213
162
225
104
129
171
39.0
576
273
233
184
265
126
160
168
97.0
1024
266
239
181
273
131
165
174
117
8192
258
240
182
282
135
174
175
156
IPI
268
240
182
260
121
156
168
88.6
Comments ?