Should NIST Develop an Additional Version of GCM?

1
Should NIST Develop an Additional Version of
GCM?

• July 26, 2007
• Morris Dworkin, Mathematician
• Security Technology Groupdworkin_at_nist.gov

2
Some of the Submissions to NIST for
Authenticated Encryption

• Patented, One-Pass, Parallelizable Modes
• XECB, etc. Gligor, Donescu
• IAPM Jutla
• OCB Rogaway
• Other Parallelizable Modes, One-Pass Universal
  Hash
• GCM McGrew, Viega
• CWC Kohno, Viega, Whiting
• Two-Pass Modes
• CCM Housley, Whiting, Ferguson
• EAX Bellare, Rogaway, Wagner

3
Galois/Counter Mode (GCM)

• Designed, analyzed, submitted by McGrew Viega
• Authenticated encryption with associated data
  (AEAD)
• Counter mode encryption using approved block
  cipher
• Authentication using universal hash function in
  Galois field
• Requires 96-bit initialization vectors (IVs) that
  do not repeat for the life of the key
• Performance
• High-speed (10Gbit/sec) hardware implementation
• Good in software, given table lookups

4
GCM Authenticated Encryption
P
IV
inc
J0
GCTRK
C
A
0v
0u
len(A)64
len(C)64
0128
GHASHH
CIPHK
GCTRK
MSBt
H
T
5
GCM Authenticated Decryption
P
IV
inc
J0
GCTRK
C
A
0v
0u
len(A)64
len(C)64
0128
GHASHH
CIPHK
GCTRK
MSBt
H
T?
T
if ?
FAIL
6
GCM GCTR Function
7
GHASH Function(NIST version, w/o length
encodings)
In effect, the GHASH function calculates X1?Hm
? X2?Hm-1 ? ... ? Xm-1?H2 ? Xm?H.
8
Summary of the Development ofNIST Special
Publication 800-38D

• Announcement of selection of GCM over CWC (2005)
• First draft SP 800-38D (spring of 2006)
• Restricts range of tag lengths to 12-16 bytes
• Jouxs public comment (June, 2006)
• Practical attack if initialization vector (IV) is
  repeated for a key
• Suggests design modifications
• Second draft SP 800-38D (July, 2007)
• Elaborates on IV requirements
• Removes support for variable-length IVs

9
Jouxs Attack on Repeating IVs

• Assumes IVs are repeated for distinct encryption
  inputs
• Violation of GCM requirements (implementation
  error)
• Adversary needs only a couple of pairs of
  IV-sharing ciphertexts
• Adversary can probably derive authentication
  subkey
• If so, authentication assurance is essentially
  lost
• Valid tags can be found for arbitrary ciphertext,
  reusing old IV
• Counter mode malleability can be exploited
• Given one known plaintext-ciphertext pair, and
  reusing its IV, adversary can choose any bits to
  flip
• Confidentiality apparently not affected

10
Elaboration on IV Requirements in Second Draft
NIST SP 800-38D

• Two IV constructions
• Deterministic assurance of uniqueness
• Random bit generator, up to threshold of 2-32
  over life of key
• Implementation considerations for designer and
  implementer
• E.g., recovery from power loss
• For validation against FIPS 140-2
• IV generation must be within cryptographic
  boundary of module
• IV is a critical security parameter until invoked
  (for encryption)
• Documentation requirements

11
Develop a Misuse Resistant Variant?

• Joux suggests modifications
• NIST would like feedback on whether to develop a
  variant of GCM that resists Jouxs attack
• Pros
• Allow relaxation of IV validation
• Increase general purpose usability
• Cons
• Reduce performance, especially in hardware
• Algorithm proliferation
• NIST intends to finalize the original spec
  independently

12
Jouxs Suggested Modifications to GCM
Authenticated Encryption

13
Hardware Performance (bits/cycle)Assuming Single
AES Pipeline
Bytes 16 20 40 44 64 128
GCM 64.0 71.1 91.4 93.9 102 114
CWC 10.7 13.1 23.7 25.6 34.1 53.9
OCB 5.82 7.19 13.6 14.8 20.5 35.3
Bytes 256 552 576 1024 1500 8192 IPI
GCM 120 124 124 126 127 128 77.7
CWC 75.9 97.0 98.0 109 115 125 35.3
OCB 55.4 79.6 80.8 96.4 105 123 22.8
14
Internet Performance Index (IPI)

• Table taken from The Security and Performance of
  the Galois/Counter Mode (GCM) of Operation (Full
  Version)
• Packet distribution f(s)the expected fraction of
  bytes that are carried in packets of size s.
• Using data from paper of Claffy, Miller Thompson
  (1998) f(1500)0.6, f(576)0.2, f(552)0.15,
  f(44)0.05
• IPIthe expected number of bits processed per
  clock cycle for this packet distribution.
• Useful indicator of the performance of a crypto
  module that protects IP traffic using e.g. ESP in
  tunnel mode

15
GCM in Hardware No Stalls in the AES Pipeline
The grey message has three counter blocks to
encrypt two for its plaintext blocks, and one
for the output of the GHASH function. The
counter blocks for the one-block yellow message
and the multi-block blue message follow directly
in the pipeline.
16
Software Performance Comparison(Mbps on 1 GHz
processor)
Bytes GCM 64K GCM 4K GCM 256 OCB CWC EAX CCM CBC-HMAC
16 136 116 88.4 89.5 45.7 46.0 91.3 6.3
128 263 213 162 225 104 129 171 39.0
576 273 233 184 265 126 160 168 97.0
1024 266 239 181 273 131 165 174 117
8192 258 240 182 282 135 174 175 156
IPI 268 240 182 260 121 156 168 88.6
17
Comments ?