Galois/Counter Mode (GCM)

Edit online

In ECB mode, each block of plaintext is separately enciphered and each block of the ciphertext is separately deciphered.

The GCM mode uses an initialization vector (IV) in its processing. This mode is used for authenticated encryption with associated data. GCM provides confidentiality and authenticity for the encrypted data and authenticity for the additional authenticated data (AAD). The AAD is not encrypted. GCM mode requires that the IV is a nonce, that is, the IV must be unique for each execution of the mode under the given key. The steps for GCM encryption are:

  1. The hash subkey for the GHASH function is generated by applying the block cipher to the zero block.
  2. The pre-counter block (J0) is generated from the IV. In particular, when the length of the IV is 96 bits, then the padding string 031||1 is appended to the IV to form the pre-counter block. Otherwise, the IV is padded with the minimum number of ‘0’ bits, possibly none, so that the length of the resulting string is a multiple of 128 bits (the block size); this string in turn is appended with 64 additional zero bits, followed by the 64-bit representation of the length of the IV, and the GHASH function is applied to the resulting string to form the pre-counter block.
  3. The 32-bit incrementing function is applied to the pre-counter block to produce the initial counter block for an invocation of the GCTR function on the plaintext. The output of this invocation of the GCTR function is the ciphertext.
  4. The AAD and the ciphertext are each appended with the minimum number of ‘0’ bits, possibly none, so that the bit lengths of the resulting strings are multiples of the block size. The concatenation of these strings is appended with the 64-bit representations of the lengths of the AAD and the ciphertext to produce block u.
  5. The GHASH function is applied to block u to produce a single output block.
  6. This output block is encrypted using the GCTR function with the pre-counter block that was generated in step 2, and the result is truncated to the specified tag length to form the authentication tag.
  7. The ciphertext and the tag are returned as the output. The plaintext can be of any length. The ciphertext will have the same length as the plaintext.

For GCM decryption, the tag is an input parameter. CCA calculates a tag using the same process as encryption and compares that to the parameter passed by the caller. If they match, the decryption proceeds.