Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [gcm]

The Galois Counter Mode, an authenticated encryption mode of operation for a block cipher.

The Galois Counter mode is an authenticated encryption mode of operation for a block cipher. It takes a block cipher as a primitive, and provides both privacy and integrity services for arbitrary messages.

See the wikipedia page for more information.

306 questions
6
votes
1 answer

Useful additional data to employ in GCM

Are there any requirements for the additional data to be used in the GCM block cipher mode? And are there any "classic" used informations worthwile to be used? Can for example a username or the name and surname of a person be suitable to encrypt a…
M-elman
  • 1,248
  • 3
  • 15
  • 24
3
votes
1 answer

GCM Construction of table M0

I am reading the paper on GCM The Galois/Counter Mode of Operation (GCM) . I have some doubts about the implementation of table M0 and R. When I have to multiply by the variable P it is nothing more than a shift to the indexes. At the top of…
verzz
  • 33
  • 2
3
votes
2 answers

GCM mode and the order of AAD and plaintext

In GCM mode of encryption, what are the limitations on the mixing of plaintext and AAD (additional authenticated data)? Must the AAD come before the plaintext? Or could it be after the plaintext instead? Could there be both a block of AAD before…
Craig McQueen
  • 262
  • 2
  • 8
3
votes
0 answers

How to break GCM that uses the same IV

I have an implementation that natively uses the same IV (12 bytes of 0) for all encryption. The key is always a 32 byte SHA-512 hash. I know via this post that I can deduce the bit-wise XOR of the two plaintexts. deduce the internal authentication…
B.Li
  • 183
  • 4
3
votes
1 answer

How much does using the same $H$ for all messages weaken GCM?

How much is GCM weakened by using the same MAC key $H = E_K(0^*)$ for all messages that use the same key (which is what GCM actually does) instead of using $E_K(N||0_{32})$ (which is different for each message)?
Demi
  • 4,793
  • 1
  • 19
  • 39
3
votes
2 answers

Can we solve the Hidden Number Problem in $GF(2^n)$?

Is it possible to solve the Hidden Number Problem in extension fields? In particular in $GF(2^n)$? Let's suppose an attacker knows some least/most significant bits of $r_i = a_i \times k$ in a given field $GF(2^n)$, for many uniformly distributed…
Ruggero
  • 7,054
  • 30
  • 40
3
votes
1 answer

Is there a strong cryptographic reason for GCM's 2^39 - 256 bit limit?

In reading through the original GCM specification (McGrew & Viega '05), the composition of the 128 bit Initialization Vector as a concatenation of a 96b nonce and a 32b unsigned wrapping counter seems arbitrary and forces the scrambling pattern to…
Jeff
  • 139
  • 2
3
votes
1 answer

Can GCM be used in incremental mode?

I want to sync blobs over the network and the most frequent change will be appending to blob. To minimize data amount sent I would prefer to encrypt appended data, send it over the network, append to encrypted blob and then decrypt whole blob at…
evgeniuz
  • 231
  • 2
  • 5
2
votes
0 answers

Does the size of data to be encrypted influence the security of Gmac?

In this link: Has GMAC mode a future outside GCM?, the last comment given by the user Demi, indicates that the larger the size of the text to be encrypted, the lower the security of the gmac. Why is this happening?
user75600
2
votes
1 answer

Is it safe to generate GCM/GMAC intermediate tags?

I would like to use GCM/GMAC in next manner: abcd|Tag0|efgh|Tag1|ijkl|Tag2| ... |wxyz|TagN The nuance is each tag I gonna generate is not from its last block but the all previous plain- or cipher text preceding last tag. Otherwise speaking, last…
Anatol Ivanov
  • 21
  • 2
2
votes
1 answer

Does GCM need to incorporate the length of the associate data and the length of the ciphertext to be secure?

What is the reason for incorporating the lengths of the associated data and ciphertext into the calculation of the authentication tag in GCM? Is it for security?
Melab
  • 3,655
  • 2
  • 22
  • 44
1
vote
1 answer

GCM Create M tables and R

I am trying to optimize GCM multiplication. This PDF explains GCM: The Galois/Counter Mode of Operation (GCM) The algorithms are in section 4.1 In algorithm 3 I have to multiply table M [128] with the element P that represents the polynomial…
fah81
  • 11
  • 1
1
vote
0 answers

AES_GMAC implementation

I need to implement AES_GMAC encryption and decryption in c/c++ programming language. For the implementation, I have referred following document: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf But It seems that…
Roy
  • 11
  • 1
0
votes
1 answer

How can you determine how long the MAC for GCM must be?

I want to use AES-GCM to encrypt 7 Byte data chunks. A 16 Byte MAC seems like overkill to me and the library I'm using gives me the option to make the MAC smaller. Are there any criteria for choosing the length of the MAC or are fewer bytes always…
Minix
  • 123
  • 5