Jump to content

Talk:Galois/Counter Mode

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
< Talk:Galois
This is an old revision of this page, as edited by KizzyCode (talk | contribs) at 00:02, 3 July 2018 (Security properties to an HMAC?). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
WikiProject iconCryptography: Computer science Start‑class Low‑importance
WikiProject iconThis article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.CryptographyWikipedia:WikiProject CryptographyTemplate:WikiProject CryptographyCryptography
StartThis article has been rated as Start-class on Wikipedia's content assessment scale.
LowThis article has been rated as Low-importance on the importance scale.
Taskforce icon
This article is supported by WikiProject Computer science (assessed as Low-importance).

Performance

The performance section should include the initialization cost. If the figure on this page is accurate, there would be one additional block cipher operation, and two more GF mults. Also, if the size of the IV is not 96 bits, you have to compute a GHASH.

The number will depend on the deinition of the initialization and the architecture of the overall system. One more cipher operation might be necessary to calculate H. Dimawik 01:25, 31 August 2006 (UTC)[reply]

Block cipher?

Does GCM need a block cipher or will a stream cipher work as well? It doesn't seem to require invertability of the underlying cipher to decrypt packets. Is this necessary for any of the security proofs? 198.205.32.94 13:32, 29 August 2006 (UTC)[reply]

Effectively, it is just using the cipher in CTR mode. I don't know why off hand you can't use a stream cipher. Though through things like SP800-38D [iirc] it's being specified in the context of using AES. 209.217.122.41 16:06, 24 January 2007 (UTC) Tom St Denis[reply]

Page move?

Should this page be moved to Galois/counter mode? Is this just another case of someone not knowing that you're not supposed to capitalize an initial letter merely beause it's in an article title? Or A Case Of A Computer Science Person Not Knowing That It Is Sometimes Permissible To Start A Word With A Lower-Case Letter? Or is it really obligatory to use capitals in this phrase? Michael Hardy (talk) 19:03, 2 August 2008 (UTC)[reply]

- Its called Galois/Counter Mode (GCM) in the specification. Looks like crypto modes are usually done with title caps. Bradhards (talk) 04:34, 11 April 2010 (UTC)[reply]
I have created the article with the current capitalization and simply copied it from the definition. CCM mode is capitalized differently, so feel free to move. Dimawik (talk) 04:56, 11 April 2010 (UTC)[reply]

Description

The algorithm should probably define u and v (per NIST 800-38D Algorithm 4 Step 4), but it is already feeling a bit too technical. Not sure of the best way to express this.Bradhards (talk) 04:34, 11 April 2010 (UTC)[reply]

Forging probability

The given probability of (n/2)^128 for a message of n*128 bits length can't be correct, as for a 256 bit message, the probability would reach 1.0 and even exceed this value for lengths >256 Bits. However, I can't appropriately describe the forging probability from the paper. Any clarification would be appreciated. --2001:4DD0:FF00:20:0:0:0:2 (talk) 14:38, 9 January 2014 (UTC)[reply]

String of zeros

where H is a string of 128 zeros

The input H to the GHASH function is described as a "string of 128 zeros". I suspect what is meant is "128 zero bits", right? Otherwise, I would interpret this as a sequence of 128 0x30 bytes (character "0") followed by one 0x00 byte to terminate the string. That just feels like a very odd choice.

—octo 06:46, 17 February 2014 (UTC) — Preceding unsigned comment added by Octotron (talkcontribs)

Unclear Opening Sentence

I've just read the opening sentence three times and I'm not sure what it's trying to mean, so I've tried to break down the sentence by transforming it a few times:

GCM throughput rates for state of the art, high speed communication channels can be achieved with reasonable hardware resources
(GCM throughput rates) for (state of the art, high speed communication channels) (can be achieved) with (reasonable hardware resources)
(reasonable hardware resources) (can achieve) (GCM throughput rates) for (communication).
(hardware) (can communicate at) (GCM throughput rates)

So, the rate at which GCM can read in and output encrypted data is the limiting factor for communication encrypted with GCM. ...Otherwise it wouldn't be a communication encrypted with GCM.

What's the point of that sentence, aside from adding filler? What's the author trying to say, and can we say it more clearly? -- 2620:72:0:41C:5007:55A:7C13:F2BA (talk) 19:25, 5 December 2014 (UTC)[reply]

I think it's trying to say that GCM can keep up with the speeds of current network hardware. But I agree that's a very vague way of saying it.
What distinguishes GCM from more classical authentication systems like HMAC is that it incurs much less overhead by piggybacking authentication on the same cipher as used for encryption, I guess that's the actual point. -- intgr [talk] 22:53, 5 December 2014 (UTC)[reply]

GHASH formula

The function len is not defined. I would guess that it yields a 64-bit value that is the length of the parameter. Is it the length in blocks, the length in bits, or something else? Is it big-endian?

The whole formulation looks really awkward. How about something along these lines: 

Let S  be zero_block || pad(A) || pad(C) || len64(A) || len64(C) -- a sequence of 128-bit blocks (first subscript 1)
Let X[i] =
      zero_block   for i = 0
      (X[i-1] xor S[i]) . H    for i <= length(s)

zero_block, len64 and pad have the obvious meanings, but must be spelled out.

If it is really true that only X[i] is of interest, then this can be made even more clear. 

GHASH(H, A, C) = f(pad(A) || pad(C) || len64(A) || len64(C))
  where f(empty) = zero_block
  and f(sequence || block) = (f(sequence) xor block) . H

DHR (talk) 22:30, 29 November 2015 (UTC)[reply]

Basic Operation

The Galois Mult function then combines the ciphertext with an authentication code [...]

The term "authentication code" is confusing. It does not appear in the diagram, and its use in the specification contradicts the sentence above.

The encrypted text then contains the IV, cipher text, and authentication code.

To my understanding that should rather be

The encrypted text then contains the IV, cipher text, and authentication tag.

Security properties to an HMAC?

"The Galois Mult function then combines the ciphertext with an authentication code in order to produce an authentication tag that can be used to verify the integrity of the data. The encrypted text then contains the IV, cipher text, and authentication code. It therefore has similar security properties to an HMAC."
I think this is wrong and highly misleading. Unlike GCM a HMAC does not have the 64GiB limit and most importantly it is not susceptible to nonce-reuse attacks. If nobody objects I will delete this sentence. KizzyCode (talk) 00:01, 3 July 2018 (UTC)[reply]

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Galois/Counter_Mode&oldid=848596173"