|
Galois/Counter Mode (GCM) is a mode of operation for symmetric key cryptographic block ciphers that has been widely adopted because of its efficiency and performance. GCM throughput rates for state of the art, high speed communication channels can be achieved with reasonable hardware resources.〔Lemsitzer, Wolkerstorfer, Felber, Braendli, Multi-gigabit GCM-AES Architecture Optimized for FPGAs. CHES '07: Proceedings of the 9th international workshop on Cryptographic Hardware and Embedded Systems, 2007.〕 The operation is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128 bits. Galois Message Authentication Code (GMAC) is an authentication-only variant of the GCM which can be used as an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length. Different block cipher modes of operation can have significantly different performance and efficiency characteristics, even when used with the same block cipher. GCM can take full advantage of parallel processing and implementing GCM can make efficient use of an instruction pipeline or a hardware pipeline. In contrast, the cipher block chaining (CBC) mode of operation incurs significant pipeline stalls that hamper its efficiency and performance. ==Encryption and authentication== As the name suggests, GCM combines the well-known counter mode of encryption with the new Galois mode of authentication. The key feature is that the Galois field multiplication used for authentication can be easily computed in parallel. This option permits higher throughput than the authentication algorithms, like CBC, that use chaining modes. The GF(2128) field used is defined by the polynomial : The authentication tag is constructed by feeding blocks of data into the GHASH function and encrypting the result. This GHASH function is defined by : where ''H'' is the Hash Key, a string of 128 zero bits encrypted using the block cipher, ''A'' is data which is only authenticated (not encrypted), ''C'' is the ciphertext, ''m'' is the number of 128 bit blocks in ''A'', ''n'' is the number of 128 bit blocks in ''C'' (the final blocks of ''A'' and ''C'' need not be exactly 128 bits), and the variable ''X''''i'' for ''i'' = 0, ..., ''m'' + ''n'' + 1 is defined as〔 ''Note that there is a typo in the formulas in the article.''〕 : where ''v'' is the bit length of the final block of ''A'', ''u'' is the bit length of the final block of ''C'', and denotes concatenation of bit strings. Note that this is an iterative algorithm: each ''X''''i'' depends on ''X''''i-1'' and only the final ''X''''i'' is retained as output. GCM mode was designed by John Viega and David A. McGrew as an improvement to Carter–Wegman Counter CWC mode. In November 2007, NIST announced the release of NIST Special Publication 800-38D ''Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC'' making GCM and GMAC official standards. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Galois/Counter Mode」の詳細全文を読む スポンサード リンク
|