The Security and Performance of the Galois/Counter Mode of Operation (Full Version)

The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.

[1]  K. Taira Proof of Theorem 1.3 , 2004 .

[2]  Virgil D. Gligor,et al.  Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes , 2001, FSE.

[3]  Tadayoshi Kohno,et al.  The CWC-AES Dual-Use Mode , 2003 .

[4]  Hugo Krawczyk,et al.  LFSR-based Hashing and Authentication , 1994, CRYPTO.

[5]  D. McGrew,et al.  The Galois/Counter Mode of Operation (GCM) , 2005 .

[6]  Baugher,et al.  The Secure Real-Time Transport Protocol , 2003 .

[7]  Mihir Bellare,et al.  EAX: A Conventional Authenticated-Encryption Mode , 2003, IACR Cryptol. ePrint Arch..

[8]  Charanjit S. Jutla Encryption Modes with Almost Free Message Integrity , 2001, EUROCRYPT.

[9]  Kaoru Kurosawa,et al.  OMAC: One-Key CBC MAC , 2003, IACR Cryptol. ePrint Arch..

[10]  Victor Shoup,et al.  On Fast and Provably Secure Message Authentication Based on Universal Hashing , 1996, CRYPTO.

[11]  Mihir Bellare,et al.  Incremental Cryptography: The Case of Hashing and Signing , 1994, CRYPTO.

[12]  Larry Carter,et al.  New Hash Functions and Their Use in Authentication and Set Equality , 1981, J. Comput. Syst. Sci..

[13]  John Black,et al.  A Block-Cipher Mode of Operation for Parallelizable Message Authentication , 2002, EUROCRYPT.

[14]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[15]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[16]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, ASIACRYPT.

[17]  David McGrew The Universal Security Transform , 2001 .

[18]  Mihir Bellare,et al.  The Security of the Cipher Block Chaining Message Authentication Code , 2000, J. Comput. Syst. Sci..

[19]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[20]  Phillip Rogaway,et al.  Authenticated-encryption with associated-data , 2002, CCS '02.

[21]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[22]  kc claffy,et al.  The nature of the beast: Recent traffic measurements from an Internet backbone , 1998 .

[23]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[24]  William Stallings,et al.  THE ADVANCED ENCRYPTION STANDARD , 2002, Cryptologia.