[Cryptographic Algorithm Seven] Analysis of GCM

  In my other blog [Cryptographic Algorithm 3] Block Cipher Working Mode (ECB \ CBC \ CFB \ OFB \ CTR \ XTS) I have introduced the symmetric algorithm (also known as "block cipher algorithm") in detail. various working modes. Among these working modes, CBC, CFB, and OFB can solve the defect that the same plaintext generates the same ciphertext in ECB mode, and CTR can provide multi-block parallel encryption on this basis, but none of them can provide ciphertext message integrity. sex check function, all have GCM mode.

1 Overview

  The full name of GCM is Galois/Counter Mode, where G refers to GMAC, and C refers to CTR mode. GCM can be considered as a kind of authentication mode, providing two functions of authentication and encryption. GCM模式的分组大小为128bit.
  Before analyzing the principle of GCM, you should first understand the GHASH function and GCTR function .

1.1 GHASH

  The GHASH function uses the "Galois Field Algorithm" to calculate the HASH value. The Galois field algorithm will not be described in detail here (those who are interested can learn by themselves).

  The execution steps of the GHASH function are as follows :
  (1) Divide the string x into 128bitblocks X ₁ , X ₂ , …, X _m ;
  (2) Set Y ₀ to 0 ¹²⁸ (that is, Y ₀ is 128bit 0), since Y XOR of ₀ and X ₁ does not change the value of X ₁ , so the following figure does not reflect the existence of Y ₀
;   (3) Y _i = (Y _i-1 ⊕ X _i ) • H (H is the sub-key of hash), The last Y _m is the hash value of this calculation.

1.3 GCTR

  The execution steps of the GCTR function are as follows :
  (1) If X is an empty string (empty string), return an empty string Y;
  (2) Calculate the value of n, n = (len(X) + 127) / 128;
  (3) X = X ₁ || X ₂ || … || X _n-1 || X _n * , where X ₁ , X ₂ , …, X _n-1 are all complete blocks, and X _n * may be incomplete block;
  (4) CB ₁ = ICB;
  (5) For i = 2 to n, calculate CB _i (the calculation formula is: CB _i = inc32(CB _i-1 ), that is, calculate the value of CB _i one by one ;
  (6 ) For let i = 1 to n-1, Y _i = X _i ⊕ CIPHK(CB _i ) , first of all for CB_i is encrypted, and then XORed with X _i to get Y _i ;
  (7) Y _n * = X _n * ⊕ MSB _{len(X n )} (CIPHK(CB _i )); when the result is calculated by CIPHK(CB _i ) After that, only the high-order (len(X _n )) data is taken, and then XOR operation with X _{n *.}
  (8) Y = Y ₁ || Y ₂ || ... || Y _n-1 || Y _n *;

2. GCM encryption

Note: When the GCTR operation is performed on the data P, the counter value starts from J1 (J0 is used in the GCTR operation of the last HASH value, as shown in the figure below)

3. GCM decryption

4. Summary

• The packet length of the symmetric encryption algorithm required for GCM operation must be 128bit(DES\3DES does not satisfy the addition, AES\SM4 meets the conditions);
• When encrypting, the additional data (A) and ciphertext (C) must be block-aligned before calculating the MAC;
• During GCM operation, the acquisition of J0 needs to be divided into different situations, one is len(IV)= 96bit, and the other is len(IV) ≠ 96bit