Click here to load reader
Upload
stuart-casey
View
212
Download
0
Embed Size (px)
DESCRIPTION
Galois/Counter Mode (GCM) Designed, analyzed, submitted by McGrew & Viega Authenticated encryption with associated data (AEAD) —Counter mode encryption using approved block cipher —Authentication using universal hash function in Galois field —Requires 96-bit initialization vectors (IVs) that do not repeat for the life of the key Performance —High-speed (10Gbit/sec) hardware implementation —Good in software, given table lookups
Citation preview
Should NIST Develop an Additional Version of GCM?
July 26, 2007Morris Dworkin, Mathematician
Security Technology [email protected]
Some of the Submissions to NIST for Authenticated Encryption
• Patented, One-Pass, Parallelizable Modes— XECB, etc. Gligor, Donescu
— IAPM Jutla
— OCB Rogaway
• Other Parallelizable Modes, One-Pass + Universal Hash— GCM McGrew, Viega
— CWC Kohno, Viega, Whiting
• Two-Pass Modes— CCM Housley, Whiting, Ferguson
— EAX Bellare, Rogaway, Wagner
Galois/Counter Mode (GCM)
• Designed, analyzed, submitted by McGrew & Viega
• Authenticated encryption with associated data (AEAD)— Counter mode encryption using approved block cipher
— Authentication using universal hash function in Galois field
— Requires 96-bit initialization vectors (IVs) that do not repeat for the life of the key
• Performance— High-speed (10Gbit/sec) hardware implementation
— Good in software, given table lookups
GCM Authenticated Encryption
P
CA
GHASHH
0v 0u [len(A)]64 [len(C)]64
IV
inc
CIPHK
T
GCTRK
GCTRK
MSBt H
J0
0128
GCM Authenticated Decryption
P
CA
GHASHH
0v 0u [len(A)]64 [len(C)]64
IV
inc
CIPHKGCTRK
GCTRK
MSBt
0128
H
J0
TT if
FAIL
GCM GCTR Function
CIPHK
⊕X2
Y2
CIPHK
CBn-1
⊕Xn-1
Yn-1
CIPHK
⊕Xn*
Yn*
ICB
CIPHK
⊕X1
Y1
inc…
…
CB2 CBninc
GHASH Function(NIST version, w/o length encodings)
X1
•H
Y1
⊕
X2
•H
Y2
...
⊕
Xm
•H
Ym
In effect, the GHASH function calculates X1Hm X2Hm-1 ... Xm-1H2 XmH.
Summary of the Development ofNIST Special Publication 800-38D
• Announcement of selection of GCM over CWC (2005)
• First draft SP 800-38D (spring of 2006)— Restricts range of tag lengths to 12-16 bytes
• Joux’s public comment (June, 2006)— Practical attack if initialization vector (IV) is repeated for a key— Suggests design modifications
• Second draft SP 800-38D (July, 2007)— Elaborates on IV requirements
— Removes support for variable-length IVs
Joux’s Attack on Repeating IVs
• Assumes IVs are repeated for distinct encryption inputs— Violation of GCM requirements (implementation error)
— Adversary needs only a couple of pairs of IV-sharing ciphertexts
• Adversary can probably derive authentication subkey
• If so, authentication assurance is essentially lost— Valid tags can be found for arbitrary ciphertext, reusing old IV
— Counter mode “malleability” can be exploited• Given one known plaintext-ciphertext pair, and reusing its
IV, adversary can choose any bits to “flip”
• Confidentiality apparently not affected
Elaboration on IV Requirements in Second Draft NIST SP 800-38D
• Two IV constructions — Deterministic assurance of uniqueness
— Random bit generator, up to threshold of 2-32 over life of key
• Implementation considerations for designer and implementer— E.g., recovery from power loss
• For validation against FIPS 140-2— IV generation must be within cryptographic boundary of module
— IV is a critical security parameter until invoked (for encryption)
— Documentation requirements
Develop a “Misuse Resistant” Variant?
• Joux suggests modifications
• NIST would like feedback on whether to develop a variant of GCM that resists Joux’s attack
• Pros— Allow relaxation of IV validation
— Increase general purpose usability
• Cons— Reduce performance, especially in hardware
— Algorithm proliferation
• NIST intends to finalize the original spec independently
P
CA
GHASH
0v 0u [len(A)]64 [len(C)]64
IV
inc
T
GCTR
MSBt
J0
Joux’s Suggested Modifications to GCM Authenticated Encryption
GCTR CIPHK
H
0128
Strong KDF
K
K1 K2 K3 K4
K3
K2 K1
K4 CIPH
Hardware Performance (bits/cycle)Assuming Single AES Pipeline
Bytes 16 20 40 44 64 128
GCM 64.0 71.1 91.4 93.9 102 114
CWC 10.7 13.1 23.7 25.6 34.1 53.9
OCB 5.82 7.19 13.6 14.8 20.5 35.3
Bytes 256 552 576 1024 1500 8192 IPI
GCM 120 124 124 126 127 128 77.7
CWC 75.9 97.0 98.0 109 115 125 35.3
OCB 55.4 79.6 80.8 96.4 105 123 22.8
Internet Performance Index (IPI)
• Table taken from “The Security and Performance of the Galois/Counter Mode (GCM) of Operation (Full Version)”
• Packet distribution f(s)=the expected fraction of bytes that are carried in packets of size s.
• Using data from paper of Claffy, Miller Thompson (1998): f(1500)=0.6, f(576)=0.2, f(552)=0.15, f(44)=0.05
• IPI=the expected number of bits processed per clock cycle for this packet distribution.
• “Useful indicator of the performance of a crypto module that protects IP traffic using e.g. ESP in tunnel mode…”
GCM in Hardware: No Stalls in the AES Pipeline
… P4 P3 P2 P1 T P1 T P2 P1
R1 R2 R3 R4 R5 R6 R7 R8 R9 R10
The grey message has three counter blocks to encrypt: two for its plaintext blocks, and one for the output of the GHASH function. The counter blocks for the one-block yellow message and the multi-block blue message follow directly in the pipeline.
Software Performance Comparison(Mbps on 1 GHz processor)
Bytes GCM 64K
GCM 4K
GCM 256 OCB CWC EAX CCM CBC-
HMAC
16 136 116 88.4 89.5 45.7 46.0 91.3 6.3
128 263 213 162 225 104 129 171 39.0
576 273 233 184 265 126 160 168 97.0
1024 266 239 181 273 131 165 174 117
8192 258 240 182 282 135 174 175 156
IPI 268 240 182 260 121 156 168 88.6
Comments ?