[Technick univerzita v Koiciach]

[13TH APRIL 2017]

CRYPTOGRAPHY
[GCM (Galois Counter Mode) block mode of AES 128 operation]

SANTOSH KUMAR CHINTAPALLI

TECHNICAL UNIVERSITY OF KOSICE
FACULTY OF ELECCTRICAL ENGINEERING AND INFORMATICS(FEI)
STUDENT ID :S2416087267
EMAIL:santoshkumar.chintapalli@student.tuke.sk
ABSTRACT:

The recently introduced Galois/Counter Mode (GCM) of operation for block

ciphers provides both encryption and message authentication, using universal
hashing based on multiplication in a binary finite field. We analyze its security
and performance, and show that it is the most efficient mode of operation for
high speed packet networks, by using a realistic model of a network crypto
module and empirical data from studies of Internet traffic in conjunction with
software experiments and hardware designs. GCM has several useful features: it
can accept IVs of arbitrary length, can act as a stand-alone message
authentication code (MAC), and can be used as an incremental MAC. We show
that GCM is secure in the standard model of concrete security, even when these
features are used. We also consider several of its important system-security
aspects.

INTRODUCTION:

Galois/Counter Mode (GCM) is a block cipher mode of operation that uses

universal hashing over a binary Galois field to provide authenticated encryption.
It can be implemented in hardware to achieve high speeds with low cost and low
latency. Software implementations can achieve excellent performance by using
table-driven field operations. It uses mechanisms that are supported by a well-
understood theoretical foundation, and its security follows from a single
reasonable assumption about the security of the block cipher.

There is a compelling need for a mode of operation that can efficiently provide
authenticated encryption at speeds of 10 gigabits per second and above in
hardware, perform well in software, and is free of intellectual property
restrictions. The mode must admit pipe lined and paralellized implementations
and have minimal computational latency in order to be useful at high data rates.
Counter mode has emerged as the best method for high-speed encryption,
because it meets those requirements. However, there is no suitable standard
message authentication algorithm. This fact leaves us in the situation in which
we can encrypt at high speed, but we cannot provide message authentication
that can keep up with our cipher. This lack is especially conspicuous since
counter mode provides no protection against bit-flipping attacks.

Block Cipher:

In cryptography, a block cipher mode of operation is an algorithm that uses a

blockcipher.
To provide an information service such as confidentiality or authenticity.A block
cipher by itself is only suitable for the secure cryptographic transformation
(encryption or decryption) of one fixed-length group of bits called a block. A
mode of operation describes how repeatedly to apply a cipher's single-block
operation securely to transform amounts of data larger than a block.

Advanced Encryption Standard:

The Advanced Encryption Standard (AES), also known by its original

name Rijndael is a specification for the encryption of electronic
data established by the U.S. National Institute of Standards and
Technology (NIST) in 2001.

High-level description of the algorithm:

Key Expansionsround keys are derived from the cipher key

using Rijndael's key schedule. AES requires a separate 128-bit round key
block for each round plus one more.
Initial Round
1. Add Round Keyeach byte of the state is combined with a block of the
round key using bit wise xor.
Rounds
1. Sub Bytesa non-linear substitution step where each byte is replaced with
another according to a lookup table.
2. Shift Rowsa transposition step where the last three rows of the state are
shifted cyclically a certain number of steps.
3. Mix Columnsa mixing operation which operates on the columns of the
state, combining the four bytes in each column.
4. Add Round Key
Final Round (no Mix Columns)
1. Sub Bytes
2. Shift Rows
3. Add Round Key.

Common Modes:

Electronic Codebook (ECB)

The simplest of the encryption modes is the Electronic Codebook (ECB) mode
(named after conventional physical Codebooks). The message is divided into
blocks, and each block is encrypted separately.
Galois/Counter Mode (GCM) is a block cipher mode of operation:
 Figure1 :The authenticated Encryption and Decryption operation

Symbols :
A The additional authenticated data
C The cipher text.
H The hash sub key.
I The initialization vector.
K The block cipher key.
P The plain text.
T The authentication tag.
t The bit length of the authentication tag.

The authenticated encryption operation is defined by the following

equations:
Encryption: H = E(K, 0128)
31
Y0 = IV II01 if len(IV) = 96
GHASH(H, {}, IV ) Otherwise.
T' = MSBt(GHASH(H, A, C) E(K, Y0))
Yi = incr(Yi1) for i = 1, . . . , n
Ci = Pi E(K, Yi) for i = 1, . . . , n 1
Cn = Pn MSBu(E(K,Yn))

T = MSBt(GHASH(H, A, C) E(K, Y0))

Decryption:
H = E(K, 0128)
31
Y0 = IV II01 if len(IV) = 96
GHASH(H, {}, IV ) Otherwise.
T' = MSBt(GHASH(H, A, C) E(K, Y0))
Yi = incr(Yi1) for i = 1, . . . , n
Pi = Ci E(K, Yi) for i = 1, . . . , n
P n = C n MSBu(E(K, Yn))

Multiplication in GF (2128):

The multiplication operation is defined as an operation on bit vectors in order to

simplify the specification. This definition corresponds to the particular choice of
the field representation used in GCM. Section 3 provides background information
on this field and its representation, and Section 4 describes some strategies for
efficient implementation. Each element is a vector of 128 bits. The i th bit of an
element X is denoted as Xi. The leftmost bit is X0, and the rightmost bit is X127.
The multiplication operation uses the special element R = 11100001i0120 , and
is defined in Algorithm 1. The function rightshift() moves the bits of its argument
one bit to the right. More formally, whenever W = rightshift(V ), then Wi = Vi1
for 1 i 127 and W0 = 0.

AES Test Vectors:

Test case 1 computations :

plain-text:
00000000000000000000000000000001
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000

key:
00000000000000000000000000000000

resulting cipher
 58e2fccefa7e3061367f1d57a4e7455a

Test case 2 computations: (After counter increment )_

Y1 00000000000000000000000000000002
Key 00000000000000000000000000000000
Output k,y1 :0388dace60b6a392f328c2b971b2fe78

GF128 MUL H:-

H : 66e94bd4ef8a2c3b884cfa59ca342b2e
K,Y1 : 0388dace60b6a392f328c2b971b2fe78
OUTPUT X1: 5e2ec746917062882c85b0685353deb7
XOR operation FOR len(A)||len and MUL H:

len(A)||len(C) : 00000000000000000000000000000080
MUL H :5e2ec746917062882c85b0685353deb7
Output :5e2ec746917062882c85b0685353de37

GF 128 (GHASH H,A,C):

H : 66e94bd4ef8a2c3b884cfa59ca342b2e
KEY : 5e2ec746917062882c85b0685353de37
OUTPUT : f38cbb1ad69223dcc3457ae5b6b0f885

Auth Tag:
GHASH : f38cbb1ad69223dcc3457ae5b6b0f885
E(K, Y0) : 58e2fccefa7e3061367f1d57a4e7455a
T : ab6e47d42cec13bdf53a67b21257bddf

TEST CASE 3 COMPUTATIONS

KEY :feffe9928665731c6d6a8f9467308308
IV :cafebabefacedbaddecaf888
PLAIN TEXT :000000000000000000000000000000
OUTPUT H :b83b533708bf535d0aa6e52980d53b78

INCREMENT COUNTER 1 :
IV :cafebabefacedbaddecaf888000000001
KEY :feffe9928665731c6d6a8f9467308308
OUTPUT K,Y0 :3247184b3c4f69a44dbcd22887bbb418
COUNTER Y1:
KEY :feffe9928665731c6d6a8f9467308308
Y1 :cafebabefacedbaddecaf88800000002
OUTPUT K,Y1 :9bb22ce7d9f372c1ee2b28722b25f206

COUNTER Y2:
KEY :feffe9928665731c6d6a8f9467308308
Y2 :cafebabefacedbaddecaf88800000003
OUTPUT K,Y2 :650d887c3936533a1b8d4e1ea39d2b5c
COUNTER Y3:
KEY :feffe9928665731c6d6a8f9467308308
Y3 :cafebabefacedbaddecaf88800000004
OUTPUT K,Y3 :3de91827c10e9a4f5240647ee5221f20

COUNTER Y4:
KEY :feffe9928665731c6d6a8f9467308308
Y4 :cafebabefacedbaddecaf88800000005
OUTPUT K,Y4 :aac9e6ccc0074ac0873b9ba85d908bd0
ASSUMING
GF128 MULH X1:
H :b83b533708bf535d0aa6e52980d53b78
K,Y1 :9bb22ce7d9f372c1ee2b28722b25f206
X1 :59ed3f2bb1a0aaa07c9f56c6a504647b
GF128 MULH X2:
H :b83b533708bf535d0aa6e52980d53b78
K,Y2 :650d887c3936533a1b8d4e1ea39d2b5c
X2 :b714c9048389afd9f9bc5c1d4378e052
GF128 MULH X3
H :b83b533708bf535d0aa6e52980d53b78
K,Y3 :3de91827c10e9a4f5240647ee5221f20
X3 :47400c6577b1ee8d8f40b2721e86ff10
GF128 MULH X4
H :b83b533708bf535d0aa6e52980d53b78
K,Y4 :aac9e6ccc0074ac0873b9ba85d908bd0
X4 :4796cf49464704b5dd91f159bb1b7f95

XOR OPERATION FOR len(A)||len(C) AND MUL H X4

len(A)||len 00000000000000000000000000000200
X4 :4796cf49464704b5dd91f159bb1b7f95
OUTPUT :4796cf49464704b5dd91f159bb1b7d95
GHASH(H, A, C) OUTPUT:GF 128 H AND OUTPUT OF XOR

H :b83b533708bf535d0aa6e52980d53b78
XOR OUTPUT :4796cf49464704b5dd91f159bb1b7d95
OUTPUT GHASH :7f1b32b81b820d02614f8895ac1d4eac

XOR OPERATION FOR 1ST CYCLE AES OUTPUT AND PLAIN TEXT 16 BYTES

PLAIN TEXT :d9313225f88406e5a55909c5aff5269a

AES OUTPUT K,Y1 :9bb22ce7d9f372c1ee2b28722b25f206
XOR OUTPUT(CIPHER TEXT) :42831ec2217774244b7221b784d0d49c
XOR OPERATION FOR 2ND CYCLE AES OUTPUT AND PLAIN TEXT 16 BYTES

PLAIN TEXT :86a7a9531534f7da2e4c303d8a318a72

AES OUTPUT K,Y2 :650d887c3936533a1b8d4e1ea39d2b5c
XOR OUTPUT(CIPHER TEXT) :e3aa212f2c02a4e035c17e2329aca12e

XOR OPERATION FOR 3RD CYCLE AES OUTPUT AND PLAIN TEXT 16 BYTES

PLAIN TEXT :1c3c0c95956809532fcf0e2449a6b525

AES OUTPUT K,Y3 :3de91827c10e9a4f5240647ee5221f20
XOR OUTPUT(CIPHER TEXT) :21d514b25466931c7d8f6a5aac84aa05
XOR OPERATION FOR 4TH CYCLE AES OUTPUT AND PLAIN TEXT 16 BYTES

PLAIN TEXT :b16aedf5aa0de657ba637b391aafd255

AES OUTPUT K,Y4 :aac9e6ccc0074ac0873b9ba85d908bd0
XOR OUTPUT(CIPHER TEXT) :1ba30b396a0aac973d58e091473f5985

AUTHENICATION TAG:

K,Y0 :3247184b3c4f69a44dbcd22887bbb418
MUL H :7f1b32b81b820d02614f8895ac1d4eac
AUTHENICATION TAG :4d5c2af327cd64a62cf35abd2ba6fab4
References:-
1. Lemsitzer, Wolkerstorfer, Felber, Braendli, Multi-gigabit GCM-AES
Architecture Optimized for FPGAs. CHES '07:
2. McGrew, David A.; Viega, John (2005). "The Galois/Counter Mode of Operation
(GCM)" (PDF).
3. Ferguson, N., Authentication Weaknesses in GCM, Natl. Inst. Stand. Technol.
[Web page],
http://www.csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/
CWC-GCM/Ferguson2.pdf, May 20, 2005.
4. Web url : (http://www.gnu.org/software/make/manual/make.html)