Should NIST Develop an Additional Version of GCM?

July 26, 2007Morris Dworkin, Mathematician

Security Technology Groupdworkin@nist.gov

Some of the Submissions to NIST for Authenticated Encryption

• Patented, One-Pass, Parallelizable Modes— XECB, etc. Gligor, Donescu

— IAPM Jutla

— OCB Rogaway

• Other Parallelizable Modes, One-Pass + Universal Hash— GCM McGrew, Viega

— CWC Kohno, Viega, Whiting

• Two-Pass Modes— CCM Housley, Whiting, Ferguson

— EAX Bellare, Rogaway, Wagner

Galois/Counter Mode (GCM)

• Designed, analyzed, submitted by McGrew & Viega

• Authenticated encryption with associated data (AEAD)— Counter mode encryption using approved block cipher

— Authentication using universal hash function in Galois field

— Requires 96-bit initialization vectors (IVs) that do not repeat for the life of the key

• Performance— High-speed (10Gbit/sec) hardware implementation

— Good in software, given table lookups

GCM Authenticated Encryption

P

CA

GHASHH

0v 0u [len(A)]64 [len(C)]64

IV

inc

CIPHK

T

GCTRK

GCTRK

MSBt H

J0

0128

GCM Authenticated Decryption

P

CA

GHASHH

0v 0u [len(A)]64 [len(C)]64

IV

inc

CIPHKGCTRK

GCTRK

MSBt

0128

H

J0

TT if

FAIL

GCM GCTR Function

CIPHK

⊕X2

Y2

CIPHK

CBn-1

⊕Xn-1

Yn-1

CIPHK

⊕Xn*

Yn*

ICB

CIPHK

⊕X1

Y1

inc…

…

CB2 CBninc

GHASH Function(NIST version, w/o length encodings)

X1

•H

Y1

⊕

X2

•H

Y2

...

⊕

Xm

•H

Ym

In effect, the GHASH function calculates X1Hm X2Hm-1 ... Xm-1H2 XmH.

Summary of the Development ofNIST Special Publication 800-38D

• Announcement of selection of GCM over CWC (2005)

• First draft SP 800-38D (spring of 2006)— Restricts range of tag lengths to 12-16 bytes

• Joux’s public comment (June, 2006)— Practical attack if initialization vector (IV) is repeated for a key— Suggests design modifications

• Second draft SP 800-38D (July, 2007)— Elaborates on IV requirements

— Removes support for variable-length IVs

Joux’s Attack on Repeating IVs

• Assumes IVs are repeated for distinct encryption inputs— Violation of GCM requirements (implementation error)

— Adversary needs only a couple of pairs of IV-sharing ciphertexts

• Adversary can probably derive authentication subkey

• If so, authentication assurance is essentially lost— Valid tags can be found for arbitrary ciphertext, reusing old IV

— Counter mode “malleability” can be exploited• Given one known plaintext-ciphertext pair, and reusing its

IV, adversary can choose any bits to “flip”

• Confidentiality apparently not affected

Elaboration on IV Requirements in Second Draft NIST SP 800-38D

• Two IV constructions — Deterministic assurance of uniqueness

— Random bit generator, up to threshold of 2-32 over life of key

• Implementation considerations for designer and implementer— E.g., recovery from power loss

• For validation against FIPS 140-2— IV generation must be within cryptographic boundary of module

— IV is a critical security parameter until invoked (for encryption)

— Documentation requirements

Develop a “Misuse Resistant” Variant?

• Joux suggests modifications

• NIST would like feedback on whether to develop a variant of GCM that resists Joux’s attack

• Pros— Allow relaxation of IV validation

— Increase general purpose usability

• Cons— Reduce performance, especially in hardware

— Algorithm proliferation

• NIST intends to finalize the original spec independently

P

CA

GHASH

0v 0u [len(A)]64 [len(C)]64

IV

inc

T

GCTR

MSBt

J0

Joux’s Suggested Modifications to GCM Authenticated Encryption

GCTR CIPHK

H

0128

Strong KDF

K

K1 K2 K3 K4

K3

K2 K1

K4 CIPH

Hardware Performance (bits/cycle)Assuming Single AES Pipeline

Bytes 16 20 40 44 64 128

GCM 64.0 71.1 91.4 93.9 102 114

CWC 10.7 13.1 23.7 25.6 34.1 53.9

OCB 5.82 7.19 13.6 14.8 20.5 35.3

Bytes 256 552 576 1024 1500 8192 IPI

GCM 120 124 124 126 127 128 77.7

CWC 75.9 97.0 98.0 109 115 125 35.3

OCB 55.4 79.6 80.8 96.4 105 123 22.8

Internet Performance Index (IPI)

• Table taken from “The Security and Performance of the Galois/Counter Mode (GCM) of Operation (Full Version)”

• Packet distribution f(s)=the expected fraction of bytes that are carried in packets of size s.

• Using data from paper of Claffy, Miller Thompson (1998): f(1500)=0.6, f(576)=0.2, f(552)=0.15, f(44)=0.05

• IPI=the expected number of bits processed per clock cycle for this packet distribution.

• “Useful indicator of the performance of a crypto module that protects IP traffic using e.g. ESP in tunnel mode…”

GCM in Hardware: No Stalls in the AES Pipeline

… P4 P3 P2 P1 T P1 T P2 P1

R1 R2 R3 R4 R5 R6 R7 R8 R9 R10

The grey message has three counter blocks to encrypt: two for its plaintext blocks, and one for the output of the GHASH function. The counter blocks for the one-block yellow message and the multi-block blue message follow directly in the pipeline.

Software Performance Comparison(Mbps on 1 GHz processor)

Bytes GCM 64K

GCM 4K

GCM 256 OCB CWC EAX CCM CBC-

HMAC

16 136 116 88.4 89.5 45.7 46.0 91.3 6.3

128 263 213 162 225 104 129 171 39.0

576 273 233 184 265 126 160 168 97.0

1024 266 239 181 273 131 165 174 117

8192 258 240 182 282 135 174 175 156

IPI 268 240 182 260 121 156 168 88.6

Comments ?