Abstract
The recently introduced Galois/Counter Mode (GCM) of operation for block ciphers provides both encryption and message authentication, using universal hashing based on multiplication in a binary finite field. We analyze its security and performance, and show that it is the most efficient mode of operation for high speed packet networks, by using a realistic model of a network crypto module and empirical data from studies of Internet traffic in conjunction with software experiments and hardware designs. GCM has several useful features: it can accept IVs of arbitrary length, can act as a stand-alone message authentication code (MAC), and can be used as an incremental MAC. We show that GCM is secure in the standard model of concrete security, even when these features are used. We also consider several of its important system-security aspects.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Baugher, M., McGrew, D., Naslund, M., Carrara, E., Norrman, K.: The Secure Real-time Transport Protocol. In: IETF RFC 3711 (March 2004)
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of the 38th FOCS. IEEE Computer Society Press, Los Alamitos (1997)
Bellare, M., Goldreich, O., Goldwasser, S.: Incremental cryptography: the case of hashing and signing. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 216–233. Springer, Heidelberg (1994)
Bellare, Ê.M., Kilian, J., Rogaway, P.: The Security of the Cipher Block Chaining Message Authentication Code. J. Comput. Syst. Sci. 61(3), 362–399 (2000)
Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, p. 531. Springer, Heidelberg (2000)
Bernstein, D.: Floating-point arithmetic and message authentication (manuscript, 2000), Available online at: http://cr.yp.to/papers.html#hash127
Black, J., Rogaway, P.: A Block-Cipher Mode of Operation for Parallelizable Message Authentication. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, p. 384. Springer, Heidelberg (2002)
Bellare, M., Rogaway, P., Wagner, D.: A conventional authenticated-encryption mode. Submission to NIST Modes of Operation process (2003)
Claffy, K., Miller, G., Thompson, K.: The nature of the beast: Recent traffic measurements from an Internet backbone. In: INET 1998, ISOC (1998)
Gladman, B.: AES and Combined Encryption/Authentication Modes (February 2004) Web Page, http://fp.gladman.plus.com/AES/index.htm
Gligor, V., Donescu, P.: Fast encryption and authentication: XCBC encryption and XECB authentication modes. In: Matsui, M. (ed.) FSE 2001. LNCS, vol. 2355, p. 92. Springer, Heidelberg (2002)
Iwata, T., Kurosawa, K.: OMAC: One-Key CBC MAC. Submission to NIST Modes of Operation Process (2002)
Jutla, C.: Encryption modes with almost free message integrity. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, p. 529. Springer, Heidelberg (2001)
Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP). IETF Request For Comments (RFC) 2406 (November 1998)
Kohno, T., Viega, J., Whiting, D.: The CWC-AES Dual-use Mode. Submission to NIST Modes of Operation Process (2003)
Krawczyk, H.: LFSR-based hashing and authentication. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 129–139. Springer, Heidelberg (1994)
McGrew, D.: The Universal Security Transform. IETF Internet Draft, Work in Progress (October 2002)
McGrew, D., Viega, J.: The Galois/Counter Mode of Operation (GCM). Submission to NIST Modes of Operation Process (January 2004)
Rogaway, P.: Authenticated encryption with associated data. In: Proceedings of the 9th CCS (November 2002)
Rogaway, P., Bellare, M., Black, J., Krovetz, T.: OCB: A block-cipher mode of operation for efficient authenticated encryption. In: ACM CCS (2001)
Romanow, A. (ed.): Media Access Control (MAC) Security. IEEE 802.1AE, Draft Standard (July 2004)
Shoup, V.: On Fast and Provably Secure Message Authentication Based on Universal Hashing. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 313–328. Springer, Heidelberg (1996)
U.S. National Institute of Standards and Technology. The Advanced Encryption Standard. Federal Information Processing Standard (FIPS) 197 (2002)
Viega, J., McGrew, D.: The Use of Galois/Counter Mode (GCM) in IPsec ESP. IETF Internet Draft, Work in Progress (April 2004)
Wegman, M., Carter, L.: New hash functions and their use in authentication and set equality. Journal of Computer and System Sciences 22, 265–279 (1981)
Whiting, D., Ferguson, N., Housley, R.: Counter with CBC-MAC (CCM). Submission to NIST Modes of Operation Process (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
McGrew, D.A., Viega, J. (2004). The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In: Canteaut, A., Viswanathan, K. (eds) Progress in Cryptology - INDOCRYPT 2004. INDOCRYPT 2004. Lecture Notes in Computer Science, vol 3348. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30556-9_27
Download citation
DOI: https://doi.org/10.1007/978-3-540-30556-9_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-24130-0
Online ISBN: 978-3-540-30556-9
eBook Packages: Computer ScienceComputer Science (R0)