Presentation is loading. Please wait.

Presentation is loading. Please wait.

Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group

Published byStuart Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group"— Presentation transcript:

1 Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group dworkin@nist.gov

2 Some of the Submissions to NIST for Authenticated Encryption Patented, One-Pass, Parallelizable Modes —XECB, etc.Gligor, Donescu —IAPMJutla —OCBRogaway Other Parallelizable Modes, One-Pass + Universal Hash —GCMMcGrew, Viega —CWCKohno, Viega, Whiting Two-Pass Modes —CCMHousley, Whiting, Ferguson —EAXBellare, Rogaway, Wagner

3 Galois/Counter Mode (GCM) Designed, analyzed, submitted by McGrew & Viega Authenticated encryption with associated data (AEAD) —Counter mode encryption using approved block cipher —Authentication using universal hash function in Galois field —Requires 96-bit initialization vectors (IVs) that do not repeat for the life of the key Performance —High-speed (10Gbit/sec) hardware implementation —Good in software, given table lookups

4 GCM Authenticated Encryption P C A GHASH H 0v0v 0u0u [len(A)] 64 [len(C)] 64 IV inc CIPH K T GCTR K MSB t H J0J0 0 128

5 GCM Authenticated Decryption P CA GHASH H 0v0v 0u0u [len(A)] 64 [len(C)] 64 IV inc CIPH K GCTR K MSB t 0 128 H J0J0 T T if  FAIL

6 GCM GCTR Function

7 GHASH Function (NIST version, w/o length encodings) In effect, the GHASH function calculates X 1  H m  X 2  H m-1 ...  X m-1  H 2  X m  H.

8 Summary of the Development of NIST Special Publication 800-38D Announcement of selection of GCM over CWC (2005) First draft SP 800-38D (spring of 2006) —Restricts range of tag lengths to 12-16 bytes Joux’s public comment (June, 2006) —Practical attack if initialization vector (IV) is repeated for a key —Suggests design modifications Second draft SP 800-38D (July, 2007) —Elaborates on IV requirements —Removes support for variable-length IVs

9 Joux’s Attack on Repeating IVs Assumes IVs are repeated for distinct encryption inputs —Violation of GCM requirements (implementation error) —Adversary needs only a couple of pairs of IV-sharing ciphertexts Adversary can probably derive authentication subkey If so, authentication assurance is essentially lost —Valid tags can be found for arbitrary ciphertext, reusing old IV —Counter mode “malleability” can be exploited Given one known plaintext-ciphertext pair, and reusing its IV, adversary can choose any bits to “flip” Confidentiality apparently not affected

10 Elaboration on IV Requirements in Second Draft NIST SP 800-38D Two IV constructions —Deterministic assurance of uniqueness —Random bit generator, up to threshold of 2 -32 over life of key Implementation considerations for designer and implementer —E.g., recovery from power loss For validation against FIPS 140-2 —IV generation must be within cryptographic boundary of module —IV is a critical security parameter until invoked (for encryption) —Documentation requirements

11 Develop a “Misuse Resistant” Variant? Joux suggests modifications NIST would like feedback on whether to develop a variant of GCM that resists Joux’s attack Pros —Allow relaxation of IV validation —Increase general purpose usability Cons —Reduce performance, especially in hardware —Algorithm proliferation NIST intends to finalize the original spec independently

12 P C A GHASH 0v0v 0u0u [len(A)] 64 [len(C)] 64 IV inc T GCTR MSB t J0J0 Joux’s Suggested Modifications to GCM Authenticated Encryption GCTR CIPH K H 0 128 Strong KDF K K1K1K2K2K3K3K4K4 K3K3 K2K2K1K1 K4K4 CIPH

13 Hardware Performance (bits/cycle) Assuming Single AES Pipeline Bytes1620404464128 GCM64.071.191.493.9102114 CWC10.713.123.725.634.153.9 OCB5.827.1913.614.820.535.3 Bytes256552576102415008192IPI GCM120124 12612712877.7 CWC75.997.098.010911512535.3 OCB55.479.680.896.410512322.8

14 Internet Performance Index (IPI) Table taken from “The Security and Performance of the Galois/Counter Mode (GCM) of Operation (Full Version)” Packet distribution f(s)=the expected fraction of bytes that are carried in packets of size s. Using data from paper of Claffy, Miller Thompson (1998): f(1500)=0.6, f(576)=0.2, f(552)=0.15, f(44)=0.05 IPI=the expected number of bits processed per clock cycle for this packet distribution. “Useful indicator of the performance of a crypto module that protects IP traffic using e.g. ESP in tunnel mode…”

15 GCM in Hardware: No Stalls in the AES Pipeline …P4P3P2P1T TP2P1 R1R2R3R4R5R6R7R8R9R10 The grey message has three counter blocks to encrypt: two for its plaintext blocks, and one for the output of the GHASH function. The counter blocks for the one-block yellow message and the multi-block blue message follow directly in the pipeline.

16 Software Performance Comparison (Mbps on 1 GHz processor) Bytes GCM 64K GCM 4K GCM 256 OCBCWCEAXCCM CBC- HMAC 1613611688.489.545.746.091.36.3 12826321316222510412917139.0 57627323318426512616016897.0 1024266239181273131165174117 8192258240182282135174175156 IPI26824018226012115616888.6

17 Comments ?

Download ppt "Should NIST Develop an Additional Version of GCM? July 26, 2007 Morris Dworkin, Mathematician Security Technology Group"

Similar presentations

2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.

2 © 2004, Cisco Systems, Inc. All rights reserved. Scalable, Efficient Cryptography for Multiple Security Services David A. McGrew Cisco Systems, Inc.
Block Cipher Modes of Operation and Stream Ciphers

Block Cipher Modes of Operation and Stream Ciphers
Cryptography and Network Security Chapter 12

Cryptography and Network Security Chapter 12
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.

1`` ```` ```` ```` ```` ```` ```` ```` ```` ```` `` AEGIS A Fast Authenticated Encryption Algorithm Hongjun Wu Bart Preneel Nanyang Technological University.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: 2012-10-30 Authors:

Submission doc.: IEEE 11-12/1253r1 November 2012 Dan Harkins, Aruba NetworksSlide 1 Why Use SIV for 11ai? Date: Authors:
Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,

Cryptography and Network Security Chapter 6. Chapter 6 – Block Cipher Operation Many savages at the present day regard their names as vital parts of themselves,
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Exploring timing based side channel attacks against 802.11i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction

Exploring timing based side channel attacks against i CCMP Suman Jana, Sneha K. Kasera University of Utah Introduction
1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.

1 The AES block cipher Niels Ferguson. 2 What is it? Block cipher: encrypts fixed-size blocks. Design by two Belgians. Chosen from 15 entries in a competition.
#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.

#1 EAX A two-pass authenticated encryption mode Mihir BellarePhillip RogawayDavid Wagner U.C. San Diego U.C. Davis and U.C. Berkeley Chiang Mai University.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 5 Wenbing Zhao Department of Electrical and Computer Engineering.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.

Cryptography1 CPSC 3730 Cryptography Chapter 11, 12 Message Authentication and Hash Functions.
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Lecture 2: Message Authentication Anish Arora CSE5473 Introduction to Network Security.

Similar presentations

Ads by Google