The GCM mode uses an initialization vector (IV) in its processing.
This mode is used for authenticated encryption with associated data.
GCM provides confidentiality and authenticity for the encrypted data
and authenticity for the additional authenticated data (AAD). The
AAD is not encrypted. GCM mode requires that the IV is a nonce, i.e.,
the IV must be unique for each execution of the mode under the given
key. The steps for GCM encryption are:
- The hash subkey for the GHASH function is generated by applying
the block cipher to the “zero" block.
- The pre-counter block (J0)
is generated from the IV. In particular, when the length of the IV
is 96 bits, then the padding string 031||1
is appended to the IV to form the pre-counter block. Otherwise, the
IV is padded with the minimum number of ‘0' bits, possibly
none, so that the length of the resulting string is a multiple of
128 bits (the block size); this string in turn is appended with 64
additional ‘0' bits, followed by the 64-bit representation
of the length of the IV, and the GHASH function is applied to the
resulting string to form the pre-counter block.
- The 32-bit incrementing function is applied to the pre-counter
block to produce the initial counter block for an invocation of the
GCTR function on the plaintext. The output of this
invocation of the GCTR function is the ciphertext.
- The AAD and the ciphertext are each appended with the minimum
number of ‘0' bits, possibly none, so that the bit lengths
of the resulting strings are multiples of the block size. The concatenation
of these strings is appended with the 64-bit representations of the
lengths of the AAD and the ciphertext to produce block u.
- The GHASH function is applied to block u to produce a
single output block.
- This output block is encrypted using the GCTR function with the
pre-counter block that was generated in Step 2,
and the result is truncated to the specified tag
length to form the authentication tag.
- The ciphertext and the tag are returned as the output.
plaintext can be of any length. The ciphertext will have the same
length as the plaintext.
For GCM decryption, the tag is an input parameter. ICSF calculates
a tag using the same process as encryption and compares that to the
parameter passed by the caller. If they match, the decryption will