COMPUTERSECURITY

NIST Special Publication 800-38D NIST Special Publica 800-38D

Recommendation for Block Empfehlung für Block

Cipher Modes of Operation: Chiffre Betriebsmodi:

Galois/Counter Mode (GCM) Galois / Counter Mode (GCM)

Recommendation for Block Empfehlung für Block

Cipher Modes of Operation: Chiffre Betriebsmodi:

Galois/Counter Mode (GCM) Galois / Counter Mode (GCM)

NIST Special Publication 800-38D NIST Special Publica 800-38D

Computer Security Division Computer Security Division

Information Technology Laboratory Laboratorium für Informationstechnologie

National Institute of Standards and Technology National Institute of Standards and Technology

Gaithersburg, MD 20899-8930 Gaithersburg, MD 20899-8930

US Department of Commerce US Department of Commerce

Carlos M. Gutierrez, Secretary Carlos M. Gutierrez, Secretary

National Institute of Standards and Technology National Institute of Standards and Technology

James M. Turner, Acting Director James M. Turner, Geschäftsführender Direktor

NIST Special Publication 800-38D NIST Special Publica 800-38D

Reports on Information Security Technology Berichte über Sicherheit in der Informationstechnik

The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology Die Information Technology Laboratory (ITL) am National Institute of Standards and Technology

(NIST) promotes the US economy and public welfare by providing technical leadership for the Nation's (NIST) fördert die US-Wirtschaft und der öffentlichen Wohlfahrt durch technische Führung für die Nation

measurement and standards infrastructure. Messung und Standards Infrastruktur. ITL develops tests, test methods, reference data, proof of ITL entwickelt Tests, Testmethoden, Referenzdaten, Nachweis der

concept implementations, and technical analyses to advance the development and productive use of Konzept Implementierungen und technische Analysen, die Entwicklung und den produktiven Einsatz von Advance

information technology. Informationstechnologie. ITL's responsibilities include the development of technical, physical, Verantwortlichkeiten ITL gehören die Entwicklung von technischen, physikalischen,

administrative, and management standards and guidelines for the cost-effective security and privacy of Verwaltung und Management-Standards und Richtlinien für die kostengünstige Sicherheit und Privatsphäre

sensitive unclassified information in Federal computer systems. sensible Informationen klassifiziert in Bundes Computer-Systeme. This Special Publication 800-series Diese Sonderveröffentlichung 800-Serie

reports on ITL's research, guidance, and outreach efforts in computer security, and its collaborative Berichte über Forschung, Beratung und weit reichende Anstrengungen ITL in Computer-Sicherheit, und ihre Zusammenarbeit

activities with industry, government, and academic organizations. Aktivitäten mit der Industrie, Regierung und akademischen Organisationen.

Certain commercial entities, equipment, or materials may be identified in this document in order Bestimmte gewerbliche Einrichtungen, Geräten oder Materialien können in diesem Dokument, um identifiziert werden

to describe an experimental procedure or concept adequately. eine experimentelle Verfahren oder Konzept adäquat zu beschreiben. Such identification is not intended Eine solche Identifizierung ist nicht beabsichtigt

to imply recommendation or endorsement by the National Institute of Standards and Technology, auf Empfehlung oder Billigung durch das National Institute of Standards and Technology implizieren,

nor is it intended to imply that the entities, materials, or equipment are necessarily the best noch ist es zu verstehen, dass die Einrichtungen, Materialien oder Ausrüstung notwendigerweise die besten

National Institute of Standards and Technology Special Publication 800-38D National Institute of Standards and Technology Special Publica 800-38D

Natl. Natl. Inst. Inst. Stand. Stehen. Technol. Technol. Spec. Spec. Publ. Publ. 800-38D 37 pages (November 2007) 800-38D 37 Seiten (November 2007)

NIST Special Publication 800-38D NIST Special Publica 800-38D

The author wishes to thank David McGrew, who co-invented GCM and submitted it to NIST, and also the Der Autor dankt David McGrew, der erfunden Co GCM und legte es auf NIST, und auch die

author's colleagues who reviewed drafts of this document and contributed to its development, especially Kollegen Autors, die Entwürfe dieses Dokuments überprüft und trugen zu seiner Entwicklung, vor allem

Elaine Barker, John Kelsey, Allen Roginsky, Donna Dodson, Tim Polk, and Bill Burr. Elaine Barker, John Kelsey, Allen Roginsky, Donna Dodson, Tim Polk, und Bill Burr. The author also Der Autor auch

gratefully acknowledges the many comments from the public and private sectors to improve the quality dankt die vielen Kommentare aus dem öffentlichen und privaten Sektor, um die Qualität zu verbessern

and usefulness of this publication. und Nützlichkeit dieser Publikation.

NIST Special Publication 800-38D NIST Special Publica 800-38D

This Recommendation specifies the Galois/Counter Mode (GCM), an algorithm for Diese Empfehlung gibt die Galois / Counter Mode (GCM), einen Algorithmus für

authenticated encryption with associated data, and its specialization, GMAC, for generating a authentifizierte Verschlüsselungs mit zugeordneten Daten und die Spezialisierung, GMAC zur Erzeugung eines

message authentication code (MAC) on data that is not encrypted. Nachrichtenauthentifizierungscode (MAC) auf Daten, die nicht verschlüsselt ist. GCM and GMAC are modes GCM und GMAC sind Modi

of operation for an underlying approved symmetric key block cipher. Betrieb für einen Basiswert genehmigt symmetrischen Schlüssel Blockchiffre.

KEY WORDS: authenticated encryption; STICHWORTE: authentifizierte Verschlüsselung; authentication; Authentifizierung; block cipher; Blockchiffre; confidentiality, Vertraulichkeit,

cryptography; Kryptographie; encryption; Verschlüsselung; information security; Informationssicherheit; mode of operation. Betriebsart.

NIST Special Publication 800-38D NIST Special Publica 800-38D

................................................................................. 13 .................................................. ............................... 13

..................................................... 14 .................................................. 14 ...

NIST Special Publication 800-38D NIST Special Publica 800-38D

This publication is the fourth Part in a series of Recommendations regarding modes of operation Diese Veröffentlichung ist der vierte Teil einer Reihe von Empfehlungen zur Betriebsarten

of symmetric key block ciphers. von symmetrischen Schlüssel Blockchiffren.

This document has been developed by the National Institute of Standards and Technology Dieses Dokument wurde von der National Institute of Standards and Technology entwickelt

(NIST) in furtherance of its statutory responsibilities under the Federal Information Security (NIST) zur Förderung seiner gesetzlichen Aufgaben nach dem Bundesinformationssicherheit

Management Act (FISMA) of 2002, Public Law 107-347. Management Act (FISMA) 2002, Public Law 107-347.

NIST is responsible for developing standards and guidelines, including minimum requirements, NIST ist für die Entwicklung von Standards und Richtlinien, einschließlich der Mindestanforderungen verantwortlich,

for providing adequate information security for all agency operations and assets, but such für eine angemessene Informationssicherheit für alle Agentur Operationen und Vermögenswerte, aber solche

standards and guidelines shall not apply to national security systems. Normen und Richtlinien gelten nicht für die nationale Sicherheit gelten Systeme. This guideline is consistent Diese Richtlinie steht im Einklang

with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section mit den Anforderungen des Office of Management and Budget (OMB) Circular A-130, Abschnitt

8b(3), Securing Agency Information Systems, as analyzed in A-130, Appendix IV: Analysis of 8b (3), Absichern Agentur Information Systems, als in A-130, Anhang IV analysiert: Die Analyse der

Key Sections. Wesentliche Abschnitte. Supplemental information is provided in A-130, Appendix III. Ergänzende Informationen sind in A-130, Anhang III.

This Recommendation has been prepared for use by federal agencies. Diese Empfehlung ist für den Einsatz von Bundesbehörden erstellt. It may be used by Es kann genutzt werden,

nongovernmental organizations on a voluntary basis and is not subject to copyright. Nicht-Regierungsorganisationen auf freiwilliger Basis und unterliegt dem Urheberrecht. (Attribution (Namensnennung

would be appreciated by NIST.) würde durch NIST geschätzt.)

Nothing in this document should be taken to contradict standards and guidelines made Nichts in diesem Dokument werden sollten, um Normen und Richtlinien vorgenommen werden widersprechen

mandatory and binding on federal agencies by the Secretary of Commerce under statutory Pflicht und bindend für Bundesstellen von der Handelsminister im Rahmen der gesetzlichen

authority. Autorität. Nor should these guidelines be interpreted as altering or superseding the existing Auch sollten diese Richtlinien als Veränderung oder verdrängen die vorhandene interpretiert werden

authorities of the Secretary of Commerce, Director of the OMB, or any other federal official. Behörden der Handelsminister, Direktor des OMB, oder jede andere Bundesbeamte.

Conformance testing for implementations of the mode of operation that is specified in this Part Konformitätstests für Implementierungen des Betriebsmodus, der in diesem Teil festgelegt ist

of the Recommendation will be conducted within the framework of the Cryptographic Module der Empfehlung wird im Rahmen des Cryptographic Module durchgeführt werden

Validation Program (CMVP), a joint effort of NIST and the Communications Security Validation Program (CMVP), eine gemeinsame Anstrengung von NIST und der Kommunikationssicherheit

Establishment of the Government of Canada. Einsetzung der Regierung von Kanada. An implementation of a mode of operation must Eine Implementierung eines Betriebsmodus muss

adhere to the requirements in this Recommendation in order to be validated under the CMVP. sich an die Anforderungen in dieser Empfehlung, um unter dem CMVP validiert werden.

The requirements of this Recommendation are indicated by the word “shall.” Die Anforderungen dieser Empfehlung werden durch das Wort "soll".

This Recommendation specifies an algorithm called Galois/Counter Mode (GCM) for Diese Empfehlung gibt einen Algorithmus namens Galois / Counter Mode (GCM) für

authenticated encryption with associated data. authentifizierte Verschlüsselung mit zugehörigen Daten. GCM is constructed from an approved symmetric GCM ist aus einem zugelassenen symmetrisch aufgebaut

key block cipher with a block size of 128 bits, such as the Advanced Encryption Standard (AES) Schlüsselblockverschlüsselung mit einer Blockgröße von 128 Bits, wie der Advanced Encryption Standard (AES)

algorithm that is specified in Federal Information Processing Standard (FIPS) Pub. Algorithmus, der in Federal Information Processing Standard (FIPS) Pub angegeben ist. 197 [ 2]. 197 [ 2].

Thus, GCM is a mode of operation of the AES algorithm. Somit ist GCM eine Betriebsart des AES-Algorithmus.

GCM provides assurance of the confidentiality of data using a variation of the Counter mode of GCM bietet Gewähr für die Vertraulichkeit der Daten mit Hilfe einer Variation des Zählermodus von

operation for encryption. Operation zur Verschlüsselung. GCM provides assurance of the authenticity of the confidential data GCM bietet Sicherheit für die Echtheit der vertraulichen Daten,

(up to about 64 gigabytes per invocation) using a universal hash function that is defined over a (Bis zu etwa 64 Gigabyte pro Aufruf) mit einer Universal-Hash-Funktion, die über eine definierte

NIST Special Publication 800-38D NIST Special Publica 800-38D

binary Galois (ie, finite) field. binäre Galois (dh endlichen) ein. GCM can also provide authentication assurance for additional GCM kann auch für zusätzliche Authentifizierungssicherung

data (of practically unlimited length per invocation) that is not encrypted. Daten (von praktisch unbegrenzter Länge pro Aufruf), die nicht verschlüsselt ist.

If the GCM input is restricted to data that is not to be encrypted, the resulting specialization of Wenn die GCM Eingang mit Daten beschränkt, die nicht verschlüsselt werden, die daraus resultierende Spezialisierung der

GCM, called GMAC, is simply an authentication mode on the input data. GCM, genannt GMAC, ist einfach ein Authentifizierungsmodus auf den Eingabedaten. In the rest of this In den Rest dieses

document, statements about GCM also apply to GMAC. Dokuments gelten Aussagen über GCM auch GMAC.

GCM provides stronger authentication assurance than a (non-cryptographic) checksum or error GCM bietet eine stärkere Authentifizierung als Zusicherung einer (nicht-kryptographische) Prüfsumme oder Fehler

detecting code; Erkennungscode; in particular, GCM can detect both 1) accidental modifications of the data and 2) insbesondere kann GCM beide 1) unbeabsichtigte Änderungen der Daten zu erkennen und 2)

intentional, unauthorized modifications. vorsätzliche, unbefugte Änderungen.

The two functions of GCM are called authenticated encryption and authenticated decryption. Die beiden Funktionen des GCM authentifiziert Verschlüsselung und Entschlüsselung authentifiziert genannt.

Each of these functions is relatively efficient and parallelizable; Jede dieser Funktionen ist relativ effizient und parallelizable; consequently, high-throughput Folglich Hochdurch

implementations are possible in both hardware and software. Implementierungen sind in Hard-und Software möglich. GCM has several other useful GCM hat mehrere andere nützliche

characteristics, including the following: Eigenschaften, einschließlich der folgenden:

• The GCM functions are “online” in the sense that the lengths of the confidential data • Die GCM-Funktionen sind "online" in dem Sinne, dass die Längen der vertraulichen Daten

and the additional, non-confidential data are not required in advance; und die zusätzlichen, nicht-vertrauliche Daten nicht im Voraus; instead, the Stattdessen wird die

lengths can be calculated as the data arrives and is processed. Längen berechnet werden, wenn die Daten ankommen und verarbeitet.

• The GCM functions require only the forward direction of the underlying block cipher • Die GCM-Funktionen erfordern nur die Vorwärtsrichtung des zugrunde liegenden Blockchiffre

(ie, the inverse direction is not required). (Dh der umgekehrten Richtung wird nicht benötigt).

• The authenticity of the protected data can be verified independently from the recovery • Die Echtheit der geschützten Daten unabhängig von der Wiederherstellung zu überprüfen

of the confidential data from its encrypted form. der vertraulichen Daten aus seinem verschlüsselter Form.

• If the unique initialization string is predictable, and the length of the confidential data is • Wenn der eindeutige Initialisierung String ist vorhersehbar, und die Länge der vertraulichen Daten

known, then the block cipher invocations within the GCM encryption mechanism can bekannt, dann die Blockchiffre-Aufrufe innerhalb der GCM Verschlüsselungsmechanismus kann

• If some or all of the additional, non-confidential data is fixed, then the corresponding • Wenn einige oder alle der zusätzlichen, nicht-vertrauliche Daten festgelegt ist, wird die entsprechende

elements of the GCM authentication mechanism can be pre-computed. Elemente des GCM Authentifizierungsmechanismus kann vorab berechnet werden.

An important caution to the use of GCM is that a breach of the requirement in Sec. Ein wichtiger Vorsicht auf die Verwendung von GCM ist, dass ein Verstoß gegen das Erfordernis in Sec. 8 8 for the für die

uniqueness of the initialization strings may compromise the security assurance almost entirely, as Einzigartigkeit der Intitialisierungskommandos Gewährleistung der Sicherheit fast vollständig kompromittieren, als

detailed in Ref. [5 ] and summarized in Appendix A. Therefore, this mode of operation should Detail in Ref. [5 ] und daher in Anhang A zusammengefasst, diese Betriebsart sollte

not be deployed unless compliance with this uniqueness requirement is ensured. nicht eingesetzt, wenn die Einhaltung dieser Anforderung Einzigartigkeit gewährleistet ist. Some of the Einige der

practical considerations are discussed further in Secs. 9.1 and 9.2. praktische Überlegungen werden in § §. diskutiert 9.1 und 9.2.

The designers of GCM are McGrew and Viega. Die Designer von GCM sind McGrew und Viega. They submitted GCM to NIST in Ref. Sie legten GCM NIST in Ref. [ 6], and [ 6], und

they discuss in detail its security and performance in Ref. sie im Detail zu diskutieren seine Sicherheit und Leistung in Ref. [ 7]. [ 7].

4 Definitions, Abbreviations, and Symbols 4 Definitionen, Abkürzungen und Symbole

4.1 Definitions and Abbreviations 4.1 Definitionen und Abkürzungen

NIST Special Publication 800-38D NIST Special Publica 800-38D

Additional Authenticated Data Zusätzliche authentifizierte Daten

The input data to the authenticated encryption function that is Die Eingangsdaten des authentifizierten Verschlüsselungsfunktion, ist

authenticated but not encrypted. authentifiziert, aber nicht verschlüsselt.

Advanced Encryption Standard. Advanced Encryption Standard.

FIPS approved or NIST recommended: an algorithm or technique that FIPS genehmigt oder NIST empfohlen: einen Algorithmus oder Technik, die

is either 1) specified in a FIPS or a NIST Recommendation, or 2) wird entweder 1) in einer FIPS oder NIST Empfehlung angegeben, oder 2)

adopted in a FIPS or a NIST Recommendation. in einer FIPS oder NIST Empfehlung angenommen.

The function of GCM in which the ciphertext is decrypted into the Die Funktion des GCM, in dem der verschlüsselte Text in den entschlüsselten

plaintext, and the authenticity of the ciphertext and the AAD is Klartext und die Authentizität des verschlüsselten Text und die AAD ist

The function of GCM in which the plaintext is encrypted into the Die Funktion des GCM, in dem der Klartext wird in den verschlüsselten

ciphertext, and an authentication tag is generated on the AAD and the Chiffretext und eine Authentifizierung Tag auf der AAD und die erzeugte

A cryptographic checksum on data that is designed to reveal both Ein kryptografische Prüfsumme auf Daten, die dazu bestimmt ist, sowohl zu offenbaren

accidental errors and the intentional modification of the data. zufällige Fehler und die absichtliche Modifikation der Daten.

The property that data originated from its purported source. Die Eigenschaft, die Daten aus seinem angeblichen Quelle stammen.

A binary digit: 0 or 1 . Eine binäre Ziffer 0 oder 1 ist.

A finite, ordered sequence of bits. Eine endliche, geordnete Folge von Bits.

For a given block cipher, a bit string whose length is the block size of Für einen gegebenen Block-Chiffre, eine Bitfolge, deren Länge die Blockgröße

A parameterized family of permutations on bit strings of a fixed Eine parametrisierte Familie von Permutationen auf Bit-Strings aus einer festen

length; Länge; the parameter that determines the permutation is a bit string Der Parameter, der die Permutation bestimmt eine Bitfolge

For a given block cipher and key, the fixed length of the input (or Für einen gegebenen Block Cipher und Schlüssel, der festen Länge des Eingangs (oder

A finite, ordered sequence of bytes. Eine endliche, geordnete Folge von Bytes.

The encrypted form of the plaintext. Die verschlüsselte Form der Klartext.

NIST Special Publication 800-38D NIST Special Publica 800-38D

Direct Random String Direkt zufällige Zeichenfolge

In the RBG-based construction of IVs, an output string of an RBG In der RBG-basierte Konstruktion von IVs, einer Ausgabe-String eines RBG

that is used as the random field for an IV. dass als Zufallsfeld für einen IV verwendet.

The bitwise addition, modulo 2, of two bit strings of equal length. Das bitweise hinaus Modulo 2, von zwei Bit-Strings gleich lang.

Federal Information Processing Standard. Federal Information Processing Standard.

In the deterministic construction of IVs, the field that identifies the In der deterministischen Konstruktion von IVs, das Feld, das die identifiziert

device or context for the instance of the authenticated encryption Gerät oder Rahmen für die Instanz des authentifizierten Verschlüsselung

A permutation on blocks that is determined by the choice of a key for Eine Permutation von Blöcken, die durch die Wahl einer Taste bestimmt wird,

In the RBG-based construction of IVs, the field whose contents are In der RBG-basierte Konstruktion von IVs, das Feld, dessen Inhalt

For a newly generated key, the property of being unequal to any Für einen neu erzeugten Schlüssel, die Eigenschaft, zu einem ungleichen

previously used key. vorher verwendeten Schlüssel.

A nonce that is associated with an invocation of authenticated Ein Nonce, die mit einem Aufruf von authentifizierten verbunden ist

encryption on a particular plaintext and AAD. Verschlüsselung auf einem bestimmten Klartext und VAA.

Inverse Cipher Function The function that is the inverse of the forward cipher function for a Inversen Verschlüsselungsfunktion die Funktion, die Inverse des Vorwärtsverschlüsselungsfunktion für a ist

In the deterministic construction of IVs, the field that identifies the In der deterministischen Konstruktion von IVs, das Feld, das die identifiziert

sets of inputs to the authenticated encryption function in a particular Sätze von Eingängen zu der authentifizierten Verschlüsselungsfunktion in einer besonderen

The parameter of the block cipher that determines the selection of the Der Parameter der Blockchiffre, die die Auswahl der fest

forward cipher function from the family of permutations. mitteln Verschlüsselungsfunktion aus der Familie der Permutationen.

The right-most bit(s) of a bit string. Die äußerste rechte Bit (s) einer Bit-Kette.

An algorithm for the cryptographic transformation of data that is Ein Algorithmus für die kryptographische Umwandlung von Daten, ist

based on a block cipher. basierend auf einer Blockchiffre.

NIST Special Publication 800-38D NIST Special Publica 800-38D

The left-most bit(s) of a bit string. Das Bit ganz links (s) einer Bit-Kette.

National Institute of Standards and Technology. National Institute of Standards and Technology.

A value that is used only once within a specified context. Ein Wert, der nur einmal innerhalb eines bestimmten Kontext verwendet wird.

The input data to the authenticated encryption function that is both Die Eingangsdaten des authentifizierten Verschlüsselungsfunktion ist, die sowohl

authenticated and encrypted. authentifiziert und verschlüsselt.

In the RBG-based construction of IVs, either a direct random string In der RBG-basierte Konstruktion von IVs, entweder eine direkte zufällige Zeichenfolge

or one of its successors. oder einer seiner Nachfolger.

In the RBG-based construction of IVs, the result of one or more Im RBG-Konstruktion auf der Basis von IVs, das Ergebnis von einem oder mehreren

applications of the appropriate incrementing function to a direct Anwendungen der entsprechenden Inkrementieren Funktion einer direkten

The additional authenticated data Die zusätzliche Daten authentifiziert

The initialization vector. Der Initialisierungsvektor.

The constant within the algorithm for the block multiplication operation. Die Konstante innerhalb des Algorithmus für die Blockmultiplikationsoperation.

The authentication tag. Die Authentifizierung Tag.

The bit length of the authentication tag. Die Bitlänge der Authentisierungsmarke.

NIST Special Publication 800-38D NIST Special Publica 800-38D

4.2.2 Operations and Functions 4.2.2 Vorgänge und Funktionen

The bit string that consists of s ' 0 ' bits. Die Bit-String, der von s '0' Bits besteht.

The output of the forward cipher function of the block cipher under the Der Ausgang des Vorwärts-Verschlüsselungsfunktion der Blockchiffre unter dem

key K applied to the block X . Schlüssel K angelegt, um den Block X.

The output of the GCTR function for a given block cipher with key K Der Ausgang des GCTR für eine angegebene Blockchiffre mit Schlüssel K

applied to the bit string X with an initial counter block ICB . mit einem Anfangszählerblock ICB mit der Bit-String X angewendet.

The output of the GHASH function under the hash subkey H applied to Der Ausgang des GHASH Funktion unter dem Hash Schlüssel H angewendet

The output of incrementing the right-most s bits of the bit string X , Der Ausgang des Inkrementierens der am weitesten rechts n Bits der Bitkette X,

regarded as the binary representation of an integer, by 1 modulo 2 als binäre Darstellung einer ganzen Zahl zu betrachten, um 1 modulo 2

The integer for which the bit string X is a binary representation. Die ganze Zahl, für die die Bitfolge X eine binäre Darstellung.

The bit length of the bit string X . Die Bit-Länge der Bitfolge X.

The bit string consisting of the s right-most bits of the bit string X . Die Bit-String, der aus den n am weitesten rechts Bits der Bitkette X.

The bit string consisting of the s left-most bits of the bit string X . Die Bit-String, bestehend aus den s am weitesten links Bits der Bit-String X.

The least integer that is not less than the real number x . Die kleinste ganze Zahl, die nicht kleiner als der reale Zahl x ist.

The binary representation of the non-negative integer x as a string of s bits, Die binäre Darstellung des nicht-negative ganze Zahl x als eine Folge von n Bits,

The bit string that results from discarding the rightmost bit of the bit string Die Bit-String, der von der Entsorgung des Bit ganz rechts der Bit-String ergibt

X and prepending a ' 0 ' bit on the left. X und Voranstellen eines "0"-Bit auf der linken Seite.

The concatenation of two bit strings X and Y . Die Verkettung von zwei Bitfolgen x und y.

The bitwise exclusive-OR of two bit strings X and Y of the same length. Das bitweise Exklusiv-ODER von zwei Bit-Strings X und Y die gleiche Länge.

The product of two blocks, X and Y , regarded as elements of a certain Das Produkt von zwei Blöcken, X und Y, als Elemente einer bestimmten angesehen

For a positive integer i , the i th power of X under the product '•'. Für eine positive ganze Zahl i, der i-te Potenz von X unter dem Produkt '•'.

The product of two integers, x and y . Das Produkt aus zwei ganzen Zahlen x und y.

NIST Special Publication 800-38D NIST Special Publica 800-38D

The elements of GCM and the associated notation and requirements are introduced in the three Die Elemente GCM und dem zugehörigen Schreibweise und Anforderungen in den drei eingeführten

sections below. Abschnitte unten. The underlying block cipher and key are discussed in Sec. 5.1 . Die zugrunde liegende Blockchiffre und der Schlüssel in Sec diskutiert. 5.1 . The data Die Daten

elements of the authenticated encryption and authenticated decryption functions of GCM are Elemente des authentifizierten Verschlüsselung und Authentifizierung Entschlüsselungsfunktionen des GCM sind

discussed in Sec. 5.2 . in Sec. diskutiert 5.2 . The cryptographic primitives for confidentiality and authentication within Die kryptographischen Primitiven für Vertraulichkeit und Authentifizierung innerhalb

these two functions are discussed in Sec. Diese beiden Funktionen sind in § diskutiert. 5 .3. 5 .3.

The operations of GCM depend on the choice of an underlying symmetric key block cipher and Die Operationen der GCM hängen von der Wahl des zugrundeliegenden symmetrischen Schlüsselblockchiffre und

thus can be considered a mode of operation (mode, for short) of the block cipher. sie können somit als eine Betriebsart (Modus abgekürzt) der Blockchiffre ist. The GCM key Die GCM-Taste

is the block cipher key (the key, for short). ist die Blockchiffre-Taste (Taste für kurz).

For any given key, the underlying block cipher of the mode consists of two functions that are Für jeden gegebenen Schlüssel, die zugrunde liegende Blockchiffre des Modus besteht aus zwei Funktionen, die sind

inverses of each other. Inverse zueinander sind. The choice of the block cipher includes the designation of one of the two Die Wahl der Blockverschlüsselung enthält die Bezeichnung eines der beiden

functions of the block cipher as the forward cipher function, as in the specification of the AES Funktionen der Blockchiffre als die Vorwärtsverschlüsselungsfunktion, wie in der Beschreibung des AES

algorithm in Ref. [2] . Algorithmus in Ref. [2] . GCM does not employ the inverse cipher function. GCM verwendet nicht die inversen Verschlüsselungsfunktion.

The forward cipher function is a permutation on bit strings of a fixed length; Die Vorwärtsverschlüsselungsfunktion ist eine Permutation Bitfolgen einer festen Länge; the strings are die Saiten

called blocks. Blöcke genannt. The length of a block is called the block size. Die Länge eines Blocks wird als Blockgröße. The key is denoted K , and the Der Schlüssel ist mit K bezeichnet, und die

resulting forward cipher function of the block cipher is denoted CIPH resultierende Vorwärtsverschlüsselungsfunktion der Blockchiffre bezeichnet CIPH

The underlying block cipher shall be approved, the block size shall be 128 bits, and the key size Die zugrunde liegende Blockchiffre ist gebilligt, die Blockgröße wird 128 Bit und die Schlüsselgröße

shall be at least 128 bits. muss mindestens 128 Bit betragen. The key shall be generated uniformly at random, or close to uniformly Der Schlüssel wird gleichmäßig zufällig erzeugt werden, oder in der Nähe gleichmäßig

at random, ie, so that each possible key is (nearly) equally likely to be generated. zufällig, dh, so dass jede mögliche Schlüssel (fast) gleicher Wahrscheinlichkeit erzeugt werden.

Consequently, the key will be fresh, ie, unequal to any previous key, with high probability. Folglich wird die Taste frische, also ungleich irgendeinem vorherigen Schlüssel mit hoher Wahrscheinlichkeit sein. The Die

key shall be secret and shall be used exclusively for GCM with the chosen block cipher. Schlüssel sind geheim und werden ausschließlich für GCM mit der gewählten Blockchiffre verwendet werden.

Additional requirements on the establishment and management of keys are discussed in Sec. Zusätzliche Anforderungen an die Errichtung und Verwaltung von Schlüsseln werden in Sec diskutiert. 8 .1. 8 .1.

5.2 Two GCM Functions 5.2 Zwei GCM Funktionen

The two functions that comprise GCM are called authenticated encryption and authenticated Die beiden Funktionen, die GCM umfassen werden als authentifizierte Verschlüsselung und Authentifizierung

decryption. Entschlüsselung. The authenticated encryption function encrypts the confidential data and computes Der authentifizierte Verschlüsselungsfunktion verschlüsselt die vertraulichen Daten und berechnet

an authentication tag on both the confidential data and any additional, non-confidential data. ein Authentifizierungs Tag auf beiden vertraulichen Daten und zusätzliche, nicht-vertrauliche Daten. The Die

authenticated decryption function decrypts the confidential data, contingent on the verification of authentifiziert Entschlüsselungsfunktion entschlüsselt die vertraulichen Daten, Kontingent über die Prüfung der

An implementation may restrict the input to the non-confidential data, ie, without any Eine Implementierung kann die Eingabe an den nicht vertraulichen Daten, dh zu beschränken, ohne dass

confidential data. vertrauliche Daten. The resulting variant of GCM is called GMAC. Die daraus resultierende Variante des GCM heißt GMAC. For GMAC, the authenticated Für GMAC, der authentifizierte

encryption and decryption functions become the functions for generating and verifying an Verschlüsselung und Entschlüsselung Funktionen werden die Funktionen zur Erzeugung und Prüfung ein

authentication tag on the non-confidential data. Authentisierungsmarke auf den nicht vertraulichen Daten.

The requirements and notation for the input and output data of these functions are discussed in Die Anforderungen und die Notation für die Eingangs und Ausgangsdaten der Funktionen werden diskutiert

Secs. 5.2.1 and 5.2.2. Sek. 5.2.1 und 5.2.2. Algorithms for computing these functions are given in Sec. Algorithmen zum Berechnen dieser Funktionen sind in Abschnitt gegeben. 7. 7.

NIST Special Publication 800-38D NIST Special Publica 800-38D

5.2.1 Authenticated Encryption Function 5.2.1 authentifizierte Verschlüsselungsfunktion

Given the selection of an approved block cipher and key, there are three input strings to the Angesichts der Auswahl eines zugelassenen Blockchiffre und Schlüssel, gibt es drei Eingangszeichenketten dem

authenticated encryption function: authentifiziert Verschlüsselungsfunktion:

• a plaintext, denoted P ; • ein Klartext, bezeichnet P;

• additional authenticated data (AAD), denoted A ; • Zusätzliche Daten authentifiziert (AAD), bezeichnet A; and und

• an initialization vector (IV), denoted IV . • einen Initialisierungsvektor (IV) bezeichnet IV.

The plaintext and the AAD are the two categories of data that GCM protects. Der Klartext und die AAD sind die beiden Kategorien von Daten, die GCM schützt. GCM protects the GCM schützt die

authenticity of the plaintext and the AAD; Echtheit der Klartext und der AAD; GCM also protects the confidentiality of the plaintext, GCM schützt auch die Vertraulichkeit der Klartext,

while the AAD is left in the clear. während der AAD wird in der klaren gelassen. For example, within a network protocol, the AAD might Beispielsweise in einem Netzwerkprotokoll, das AAD Macht

include addresses, ports, sequence numbers, protocol version numbers, and other fields that gehören Adressen, Ports, Sequenznummern, Protokollversionsnummern und andere Felder, die

indicate how the plaintext should be treated. geben an, wie der Klartext behandelt werden sollten.

The IV is essentially a nonce, ie, a value that is unique within the specified context, which Die IV ist im Wesentlichen eine Nonce, dh ein Wert, der innerhalb des angegebenen Kontext ist, die

determines an invocation of the authenticated encryption function on the input data to be bestimmt einen Aufruf der authentifizierten Verschlüsselungsfunktion an den Eingangsdaten sein

protected. geschützt. The uniqueness requirement on the IVs (and keys) is stated precisely in Sec. 8 , and Die Einzigartigkeit Anforderung des IVS (und Schlüssel) genau in Sec angegeben. 8 , und

two frameworks for constructing IVs are given in Sec. beiden Frameworks zur Konstruktion IVs sind in § gegeben. 8. 2. Practical considerations in assuring 8. 2. Praktische Überlegungen bei der Sicherung

the requirement are discussed in Secs. 9.1 and 9.2. die Forderung sind in § §. diskutiert 9.1 und 9.2. The critical importance of the uniqueness of Die kritische Bedeutung der Einzigartigkeit

the IVs is detailed in Ref . Das IVS ist in Ref detailliert . [ 5] and summarized in Appendix A. [ 5] und in Anhang A zusammengefasst

The bit lengths of the input strings to the authenticated encryption function shall meet the Die Bit-Länge der Eingabezeichenfolgen, die dem authentifizierten Verschlüsselungsfunktion ist die treffen

• 1 ≤ len( IV ) ≤ 2 • 1 ≤ len (IV) ≤ 2

Although GCM is defined on bit strings, the bit lengths of the plaintext, the AAD, and the IV Obwohl GCM ist auf Bit-Strings, die Bit-Länge der Klartext, der AAD und die IV definiert

shall all be multiples of 8, so that these values are byte strings. muss ein Vielfaches von 8 Alle, so dass diese Werte Byte-Zeichenfolgen.

An implementation may further restrict the bit lengths of these inputs, consistent with the above Eine Implementierung kann weiter einschränken Bitlängen dieser Eingänge in Übereinstimmung mit der oben

requirements; Anforderungen; for example, an implementation may establish smaller maximum values. Beispielsweise kann eine Implementierung kleineren Maximalwerte festzulegen. The bit Das Bit

lengths that an implementation allows are called the supported bit lengths. Längen, die eine Implementierung ermöglicht werden unterstützt Bit Längen genannt. A single set of Ein einziger Satz von

supported bit lengths for each of the three inputs should be established for the entire Unterstützte Bit-Längen für jeden der drei Eingänge ist für die gesamte festgelegt werden

implementation, independent of the key. Umsetzung, unabhängig von der Taste.

For IVs, it is recommended that implementations restrict support to the length of 96 bits, to IVS, wird empfohlen, dass Implementierungen beschränken Unterstützung der Länge von 96 Bits, um

promote interoperability, efficiency, and simplicity of design. Förderung der Interoperabilität, Effizienz und Einfachheit der Konstruktion.

The following two bit strings comprise the output data of the authenticated encryption function: Die beiden folgenden Bit-Ketten umfassen, die Ausgangsdaten des authentifizierten Verschlüsselungsfunktion:

NIST Special Publication 800-38D NIST Special Publica 800-38D

• A ciphertext, denoted C , whose bit length is the same as that of the plaintext. • einen Schlüsseltext, mit C bezeichnet, deren Bit-Länge ist die gleiche wie die des Klartextes.

• An authentication tag, or tag, for short, denoted T . • Eine Authentifizierung Tag, oder Tag, für kurze, bezeichnet T.

The bit length of the tag, denoted t , is a security parameter, as discussed in Appendix B . In Die Bit-Länge des Tags, t bezeichnet, ist ein Sicherheitsparameter, wie in Anhang B diskutiert. In

general, t may be any one of the following five values: 128, 120, 112, 104, or 96. For certain 128, 120, 112, 104 oder 96. Für bestimmte: Allgemein kann t eine der folgenden fünf Werte

applications, t may be 64 or 32; Anwendungen können t 64 oder 32 ist; guidance for the use of these two tag lengths, including Anleitungen für die Verwendung dieser zwei Tag-Längen, einschließlich

requirements on the length of the input data and the lifetime of the key in these cases, is given in Anforderungen an die Länge der Eingabedaten und der Lebensdauer der Schlüssel in diesen Fällen wird in vorgegebenen

An implementation shall not support values for t that are different from the seven choices in the Eine Umsetzung ist nicht Werte für t, die sich von den sieben Entscheidungen in der sind, zu unterstützen

preceding paragraph. vorstehenden Absatz. An implementation may restrict its support to as few as one of these Eine Implementierung kann die Unterstützung so wenig wie eine von diesen zu beschränken

values. Werte. A single, fixed value for t from among the supported choices shall be associated with Eine einzelne, feste Wert für t aus den unterstützten Entscheidungen müssen in Verbindung gebracht werden

5.2.2 Authenticated Decryption Function 5.2.2 authentifizierte Entschlüsselungsfunktion

Given the selection of an approved block cipher, key, and an associated tag length, the inputs to Angesichts der Auswahl eines zugelassenen Blockchiffre, Schlüssel und einem zugeordneten Kennungslänge, die Eingänge

the authenticated decryption function are values for IV , A , C , and T , as described in Sec. 5.2.1 der authentifizierte Entschlüsselungsfunktion sind Werte, für die IV, A, C und T, wie in § beschrieben. 5.2.1

above. oben. The output is one of the following: Die Ausgabe ist eine der folgenden:

• the plaintext P that corresponds to the ciphertext C , or • der Klartext P, der dem Schlüsseltext C entspricht, oder

• a special error code, denoted FAIL in this document. • eine spezielle Fehlercode bezeichnet FAIL in diesem Dokument.

The output P indicates that T is the correct authentication tag for IV , A , and C ; Der Ausgang P zeigt an, daß T die richtigen Authentifizierungs Tag für IV, A und C; otherwise, the Andernfalls wird die

output is FAIL . Ausgang ist FAIL. The authentication assurance that can be inferred in each case is discussed in Der Authentifizierungssicherung, die jeweils abgeleitet werden kann, wird in diskutiert

The values for len( C ), len ( A ), and len( IV ) that an implementation supports for the authenticated Die Werte für len (C), len (A) und Len (IV), dass eine Implementierung unterstützt für den authentifizierten

decryption function shall be the same as the values for len( P ), len ( A ), and len( IV ) that the Entschlüsselungsfunktion ist dieselbe wie die Werte für len (P), len (A) sein, und len (IV), dass die

implementation supports for the authenticated encryption function. Implementierung unterstützt für den authentifizierten Verschlüsselungsfunktion.

5.3 Primitives for Confidentiality and Authentication 5.3 Primitives für Vertraulichkeit und Authentifizierung

The mechanism for the confidentiality of the plaintext within GCM is a variation of the Counter Der Mechanismus für die Vertraulichkeit der Klartext in GCM ist eine Variation der Gegen

mode [ 10], with a particular incrementing function, denoted inc -Modus [ 10], mit einer bestimmten Funktion Inkrementieren, bezeichnet inc

, for generating the necessary , Zur Erzeugung der erforderlichen

sequence of counter blocks. Reihenfolge der Zählerblöcke. The first counter block for the plaintext encryption is generated by Die erste Zählerblock für die Verschlüsselung des Klartextes erzeugt wird durch

incrementing a block that is generated from the IV. Inkrementieren eines Blocks, die von der IV erzeugt wird.

The authentication mechanism within GCM is based on a hash function, called GHASH Der Authentifizierungsmechanismus innerhalb GCM ist auf einer Hash-Funktion basiert, GHASH genannt

features multiplication by a fixed parameter, called the hash subkey, within a binary Galois field. verfügt Multiplikation mit einem festen Parameter, die so genannte Hash-Unterschlüssel, innerhalb einer binären Galois-Feld.

The designers of GCM define GHASH somewhat differently, appending encodings of the lengths of its two Die Designer von GCM definieren GHASH etwas anders, Anhängen Kodierungen der Längen der beiden

arguments. Argumente. In this Recommendation, these encodings are incorporated instead into the definitions of the In dieser Empfehlung werden diese Codierungen stattdessen in den Definitionen der einge

authenticated encryption/decryption functions. authentifiziert Verschlüsselungs / Entschlüsselungsfunktionen. The specifications of the authenticated encryption/decryption Die Spezifikationen des authentifizierten Verschlüsselung / Entschlüsselung

functions are ultimately equivalent, but the simplified version of GHASH in this Recommendation does not obtain Funktionen sind letztlich gleichwertig, aber die vereinfachte Version von GHASH in dieser Empfehlung nicht zu erhalten

all of the properties that are shown for the designers' definition of GHASH in Ref. alle Eigenschaften, die für die Designer Definition GHASH in Ref gezeigt werden. [7]. [7].

NIST Special Publication 800-38D NIST Special Publica 800-38D

The hash subkey, denoted H , is generated by applying the block cipher to the “zero” block. Der Hash-Unterschlüssel, bezeichnet H, wird durch die Anwendung der Blockchiffre auf die "Null"-Block erzeugt. The Die

resulting instance of this hash function, denoted GHASH resultierenden Instanz dieser Hash-Funktion, bezeichnet GHASH

, is used to compress an encoding of , Wird verwendet, um eine Codierung komprimieren

the AAD and the ciphertext into a single block, which is then encrypted to produce the die AAD und der Geheimtext in einem einzigen Block, der dann verschlüsselt wird, um die zu produzieren

GHASH is a keyed hash function but not, on its own, a cryptographic hash function. GHASH eine verschlüsselte Hash-Funktion, jedoch nicht von sich aus, eine kryptographische Hash-Funktion. This Dies

Recommendation only approves GHASH for use within the context of GCM. Empfehlung nur genehmigt GHASH für den Einsatz im Rahmen der GCM.

The intermediate values in the execution of the GCM functions shall be secret. Die Zwischenwerte in der Ausführung der GCM-Funktionen sind geheim. In particular, this Insbesondere diese

requirement precludes a system in which GCM is implemented using the hash subkey publicly Anforderung schließt ein System, in dem GCM wird unter Verwendung der Hash Schlüssel öffentlich realisiert

for some other purpose, for example, as an unpredictable value or as an integrity check value on für andere Zwecke, beispielsweise als eine unvorhersehbare Wert oder als Integritätsprüfwert auf

6 Mathematical Components of GCM 6 Mathematische Komponenten des GCM

This section presents the mathematical components that appear in the specifications of the In diesem Abschnitt werden die mathematischen Komponenten, die in den Spezifikationen von erscheinen

authenticated encryption and authenticated decryption functions in Sec. authentifizierte Verschlüsselung und authentifizierte Entschlüsselungsfunktionen in Sec. 7 below. 7 unten. Examples of Beispiele

the basic operations and functions on bit strings are given in Sec. 6. 1. die grundlegenden Operationen und Funktionen auf Bit-Strings sind in § gegeben. 6. 1. The incrementing function Das Erhöhen Funktion

is defined in Sec. 6. 2. ist in Sec. definiert . 6 2. Algorithm 1 for “multiplying” blocks is defined in Sec. Algorithmus 1 für "Multiplizieren" Blöcke ist in § definiert. 6.3. 6.3. Algorithm 2 Algorithmus 2

for the GHASH function that is constructed from this multiplication is defined in Sec 6 .4. für die GHASH Funktion, die aus dieser Multiplikation aufgebaut wird, ist in § 6 definiert .4.

Algorithm 3 for the GCTR function is defined in Sec. Algorithmus 3 für die GCTR Funktion im Sinne des §. 6 .5. 6 .5.

The specifications of Algorithms 1-3 include the inputs, the outputs, the steps of the algorithm, Die Spezifikationen von Algorithmen 1-3 sind die Eingänge, die Ausgänge, die Schritte des Algorithmus,

diagrams, and summaries. Diagramme und Übersichten. Equivalent sets of steps that produce the correct output are permitted. Gleichwertige Gruppen der Schritte, die die korrekte Ausgabe zu erzeugen sind erlaubt.

The inputs that are typically fixed across many invocations of the function are called the Die, die in der Regel über viele Aufrufe der Funktion behoben werden Eingänge genannt werden die

prerequisites, although they may also be regarded as (varying) inputs. Voraussetzungen, sie können auch betrachtet werden als (variierende) Eingänge.

6.1 Examples of Basic Operations and Functions on Strings 6.1 Beispiele für Grundfunktionen und Funktionen auf Strings

In this document, the ' 0 ' bit and the ' 1 ' bit are indicated in the new courier font to help In diesem Dokument werden die "0"-Bit und das "1"-Bit in der neuen Courier-Schriftart angezeigt, um zu helfen

distinguish them from the integers 0 and 1. unterscheiden sie von den ganzen Zahlen 0 und 1 ist.

Given a real number x , the ceiling function, denoted ⎡ x ⎤, is the least integer that is not less than x . Bei einer reellen Zahl x, die Decke Funktion, bezeichnet ⎡ ⎤ x ist die kleinste ganze Zahl, die nicht kleiner als x ist.

For example, ⎡2.1⎤ = 3, and ⎡4⎤ = 4. Zum Beispiel ⎡2.1⎤ = 3 und ⎡4⎤ = 4 ist.

Given a positive integer s , 0 Bei einer positiven ganzen Zahl n, 0

denotes the string that consists of s ' 0 ' bits. bezeichnet die Zeichenfolge, die von s '0' Bits besteht. For example, 0 Beispielsweise 0

The concatenation operation on bit strings is denoted ||; Die Verkettung Operation auf Bit-Strings wird bezeichnet ||; for example, 001 || 10111 = beispielsweise 001 || 10111 =

Given bit strings of equal length, the exclusive-OR (XOR) operation, denoted ⊕, specifies the Gegeben Bitfolgen von gleicher Länge, die Exklusiv-ODER (XOR) Operation bezeichnet ⊕ spezifiziert der

addition, modulo 2, of the bits in each bit position, ie, without carries. Zusätzlich modulo 2 der Bits in jeder Bit-Position, also ohne trägt. For example, 10011 ⊕ B. 10011 ⊕

NIST Special Publication 800-38D NIST Special Publica 800-38D

Given a bit string X , the bit length of X is denoted len( X ). Bei einer Bitfolge X wird die Bit-Länge von X bezeichnet len (X). For example, len( 00010 )=5. Zum Beispiel, len (00010) = 5.

Given a bit string X and a non-negative integer s such that len( X )≥ s , the functions LSB Bei einer Bitfolge X und eine nicht-negative ganze Zahl n, so dass len (X) ≥ S, die Funktionen LSB

( X ) return the s least significant (ie, right-most) bits and the s most significant (ie, left- (X) zurück, die am wenigsten signifikante (dh rechte) Bits und die s wichtigsten (dh links

most) bits, respectively, of X . esten) Bits jeweils von x.

Given a bit string X , the (single) right-shift function, denoted X >> 1, is MSB Bei einem Bit-String X, die (einzige) rechts-Shift-Funktion, bezeichnet mit X >> 1 ist MSB

example, 0110111 >> 1 = 0011011 . Beispiel 0110111 >> 1 = 0011011.

Given a positive integer s and a non-negative integer x that is less than 2 Bei einer positive ganze Zahl s und eine nicht-negative ganze Zahl x, die kleiner als 2 ist

, the integer-to-string , Die ganze Zahl in Strings

function, denoted [ x ] Funktion, bezeichnet [x]

, is the binary representation of x as a string of bit length s with the least , Ist die binäre Darstellung von x als eine Folge von Bit-Länge n mit dem geringsten

significant bit on the right. Bit auf der rechten Seite. For example, for the (base 10) integer 39, the binary representation Beispielsweise für die (Basis 10) Ganzzahl 39, die binäre Darstellung

(base 2) is 100111 , so [39] (Basis 2) ist 100111, so [39]

Given a (non-empty) bit string X , the string-to-integer function, denoted int( X ), is the integer x Bei einer (nicht leeren) Bit-String X, den String-to-Integer-Funktion, bezeichnet int (X), die ganze Zahl x

= X . = X. In other words, int( X ) is the non-negative integer less than 2 In anderen Worten, die nicht negative ganze Zahl kleiner als 2 ist int (X)

binary representation is X . Binärdarstellung ist X. For example, int( 00011010 ) = 26. B. int (00011010) = 26.

6.2 Incrementing Function 6.2 Erhöhen Funktion

For a positive integer s and a bit string X such that len( X )≥ s , let the s -bit incrementing function, Für eine positive ganze Zahl s und eine Bit-String X, so dass len (X) ≥ s, lassen Sie das s-Bit Erhöhen Funktion,

( X ), be defined as follows: (X), wie folgt definiert werden:

In other words, the function increments the right-most s bits of the string, regarded as the binary In anderen Worten erhöht der Funktion zum rechten s Bits des Strings, das binäre anzu

representation of an integer, modulo 2 Darstellung einer ganzen Zahl, modulo 2

; ; the remaining, left-most len( X )- s bits remain unchanged. die restlichen, am weitesten links len (X) - S-Bits bleiben unverändert.

6.3 Multiplication Operation on Blocks 6.3 Multiplikation auf Blöcke

Let R be the bit string 11100001 || 0 Sei R die Bitfolge 11100001 || 0 sein

. . Given two blocks X and Y , Algorithm 1 below Gegeben zwei Blöcke X und Y unten, Algorithmus 1

computes a “product” block, denoted X • Y : berechnet ein "Produkt"-Block, bezeichnet X • Y:

denote the sequence of bits in X . bezeichnen die Reihenfolge der Bits in X.

For i = 0 to 127, calculate blocks Z Für i = 0 bis 127, berechnen Blöcke Z

NIST Special Publication 800-38D NIST Special Publica 800-38D

The • operation on (pairs of) the 2 Der • Betrieb an (Paare) der 2

possible blocks corresponds to the multiplication operation möglichen Blöcke entspricht der Multiplikation

for the binary Galois (finite) field of 2 Für die binäre Galois (endliche) Bereich 2

elements. Elemente. The fixed block, R , determines a Der feste Block, R, bestimmt ein

representation of this field as the modular multiplication of binary polynomials of degree less Darstellung dieses Feld als modulare Multiplikation von binären Polynome vom Grad kleiner

than 128. The convention for interpreting strings as polynomials is “little endian”: ie, if u is als 128. Die Konvention für die Interpretation Strings als Polynome ist "Little-Endian": dh, wenn u

the variable of the polynomial, then the block x die Variable des Polynoms, und der Block X

corresponds to the polynomial x entspricht dem Polynom x

. . The XOR operation is used to add coefficients of “like” terms during the Die XOR-Operation wird verwendet, um Koeffizienten "wie" Bedingungen während der ADD

multiplication. Multiplikation. The reduction modulus is the polynomial of degree 128 that corresponds to R || 1. Die Reduktion Modul ist die Polynom vom Grad 128, die R || 1 entspricht.

Ref. [6] discusses this field in detail. Ref. [6] beschreibt dieses Feld im Detail.

For a positive integer i , the i th power of a block X with this multiplication operation is denoted Für eine positive ganze Zahl i, die i-te Potenz eines Blocks X mit diesem Multiplikationsoperation bezeichnet

Algorithm 2 below specifies the GHASH function: Algorithmus 2 unten gibt die GHASH-Funktion:

block H , the hash subkey. Block H, die Hash-Unterschlüssel.

bit string X such that len( X ) = 128 m for some positive integer m . Bit-String X, so dass len (X) = 128 m für einige positive ganze Zahl m.

denote the unique sequence of blocks such that X = X bezeichnen die einmalige Folge von Blöcken, so dass X = X

3. For i = 1, ..., m , let Y 3. Für i = 1, ..., m, Y lassen

In effect, the GHASH function calculates X In der Tat, berechnet die Funktion X GHASH

describes methods for optimizing implementations of GHASH in both hardware and software. beschreibt Verfahren zur Optimierung der Implementierung von GHASH in Hardware und Software.

The GHASH function is illustrated in F igure 1 below, without the zero block, Y Die Funktion ist in GHASH F dargestellt BBILDUNG 1 unten, ohne die Null-Block, Y

NIST Special Publication 800-38D NIST Special Publica 800-38D

Algorithm 3 below specifies the GCTR function. Algorithmus 3 unten gibt die GCTR Funktion. The suggested notation does not indicate the Die vorgeschlagene Schreibweise zeigt nicht den

choice of the underlying block cipher. Wahl des zugrunde liegenden Blockchiffre.

approved block cipher CIPH with a 128-bit block size; genehmigt Blockchiffre CIPH mit einem 128-Bit-Blockgröße;

initial counter block ICB ; Anfangszählerblock ICB;

bit string X , of arbitrary length. Bit-String X, von beliebiger Länge.

bit string Y of bit length len( X ). Bit-String Y von Bit Länge len (X).

1. If X is the empty string, then return the empty string as Y . 1. Wenn X ist die leere Zeichenkette, dann den leeren String als Y.

denote the unique sequence of bit strings such that bezeichnen die eindeutige Folge von Bit-Ketten, so dass

5. For i = 2 to n , let CB 5. Für i = 2 bis n, lassen CB

is either a complete block or a nonempty partial block, and if 1 ≤ len( X ) ≤128, then X = X ist entweder ein vollständiger Block oder eine nichtleere Teilblock, und wenn 1 ≤ len (X) ≤128, dann X = X

NIST Special Publication 800-38D NIST Special Publica 800-38D

In Steps 1 and 2, the input string of arbitrary length is partitioned into a sequence of blocks to the In den Schritten 1 und 2 ist die Eingangszeichenkette beliebiger Länge in eine Folge von Blöcken unterteilt, um die

greatest extent possible, so that only the rightmost string in the sequence may be a “partial” so weit wie möglich, so dass nur die am weitesten rechts Zeichenfolge in der Folge kann eine "teilweise"

block. Block. In Steps 3 and 4, the 32-bit incrementing function is iterated on the initial counter block In Schritt 3 und 4 ist die 32-Bit-Erhöhen-Funktion auf der Anfangszählerblock wiederholt

input to generate a sequence of counter blocks; Eingang, um eine Folge von Zählerblöcke zu erzeugen; the input block is the first block of the sequence. Eingangsblock der erste Block der Sequenz.

In Steps 5 and 6, the block cipher is applied to the counter blocks and the results are XORed with In den Schritten 5 und 6 wird die Blockchiffre den Zählerblöcke angewendet und die Ergebnisse werden mit XOR

the corresponding blocks (or partial block) of the partition of the input string. In Step 7, the

sequence of results is concatenated to form the output.

Algorithms 4 and 5 for the authenticated encryption and authenticated decryption functions of

GCM are specified in Secs. 7 .1 a nd 7.2 below. The specifications include the inputs, the outputs,

the steps of the algorithm, diagrams, and summaries. The suggested notation does not indicate

the choice of the underlying block cipher. The inputs that are typically fixed across many

invocations of the function are called the prerequisites; however, some of the prerequisites may

also be regarded as (varying) input. The prerequisites and the other inputs shall meet the

For both algorithms, equivalent sets of steps that produce the correct output are permitted. For Für

example, in Algorithm 5, the verification of the tag may precede the computation of the

7.1 Algorithm for the Authenticated Encryption Function

Algorithm 4 below specifies the authenticated encryption function:

approved block cipher CIPH with a 128-bit block size;

initialization vector IV (whose length is supported);

additional authenticated data A (whose length is supported).

If len( IV ) ≠ 96, then let s = 128 ⎡len( IV )/128⎤-len( IV ), and let

In Step 1, the hash subkey for the GHASH function is generated by applying the block cipher to

the “zero” block. In Step 2, the pre-counter block ( J

) is generated from the IV. In particular, Insbesondere,

when the length of the IV is 96 bits, then the padding string 0

the pre-counter block. Otherwise, the IV is padded with the minimum number of '0' bits,

possibly none, so that the length of the resulting string is a multiple of 128 bits (the block size);

this string in turn is appended with 64 additional '0' bits, followed by the 64-bit representation of

the length of the IV, and the GHASH function is applied to the resulting string to form the pre-

counter block. In Step 3, the 32-bit incrementing function is applied to the pre-counter block to

produce the initial counter block for an invocation of the GCTR function on the plaintext. The Die

output of this invocation of the GCTR function is the ciphertext.

In Steps 4 and 5, the AAD and the ciphertext are each appended with the minimum number of

' 0 ' bits, possibly none, so that the bit lengths of the resulting strings are multiples of the block

size. Größe. The concatenation of these strings is appended with the 64-bit representations of the

lengths of the AAD and the ciphertext, and the GHASH function is applied to the result to

produce a single output block. In Step 6, this output block is encrypted using the GCTR function

with the pre-counter block that was generated in Step 2, and the result is truncated to the

specified tag length to form the authentication tag. The ciphertext and the tag are returned as the

The authenticated encryption function is illustrated in Figure 3 above. The determination of J

7.2 Algorithm for the Authenticated Decryption Function

Algorithm 5 below specifies the authenticated decryption function:

approved block cipher CIPH with a 128-bit block size;

plaintext P or indication of inauthenticity FAIL .

1. If the bit lengths of IV , A or C are not supported, or if len( T ) ≠ t , then return FAIL.

If len( IV ) ≠ 96, then let s = 128 ⎡len( IV )/128⎤-len( IV ), and

In Step 1, the implementation's support for the lengths of the IV, the ciphertext, the AAD, and

the authentication tag is verified. In Step 2, the hash subkey for the GHASH function is

generated by applying the block cipher to the “zero” block. In Step 3, the pre-counter block ( J

is formed as for the authenticated encryption function (Step 2 of Section 7 .1) . In Step 4, the 32-

bit incrementing function is applied to the pre-counter block to produce the initial counter block

for an invocation of the GCTR function on the ciphertext. The output of this invocation of the

GCTR function is the plaintext that corresponds to the ciphertext for the given IV.

In Steps 5 and 6, the AAD and the ciphertext are each appended with the minimum number of

' 0 ' bits, possibly none, so that the bit lengths of the resulting strings are multiples of the block

size. Größe. The concatenation of these strings is appended with 64-bit representations of the lengths of

the AAD and the ciphertext, and the GHASH function is applied to the result to produce a single

output block. In Step 7, this output block is encrypted using the GCTR function with the pre-

counter block that was generated in Step 3, and the result is truncated to the specified tag length

to form the authentication tag. In Step 8, the result of Step 7 is compared with the authentication

tag that was received as an input: if they are identical, then the plaintext is returned; otherwise,

Equivalent sets of steps that produce the correct output are permitted. In particular, the

verification of the tag may precede the computation of the plaintext.

The authenticated decryption function is illustrated in Figure 4 below. The determination of J

The IVs in GCM must fulfill the following “uniqueness” requirement:

The probability that the authenticated encryption function ever will be invoked with the

same IV and the same key on two (or more) distinct sets of input data shall be no greater

Compliance with this requirement is crucial to the security of GCM. Across all instances of the

authenticated encryption function with a given key, if even one IV is ever repeated, then the

implementation may be vulnerable to the forgery attacks that are described in Ref [5 ] and

summarized in Appendix A. In practice, this requirement is almost as important as the secrecy

The role of key establishment in supporting this requirement is discussed in Sec. 8.1 . The two Die beiden

allowed IV constructions for satisfying this requirement are given in Sec. 8 .2. Constraints on the

number of invocations of the authenticated encryption function are given in Sec. 8.3. 8.3.

The following requirement, which is the norm for secret key cryptographic algorithms in general,

takes on explicit importance for GCM to support the uniqueness requirement in Sec. 8:

Any GCM key that is established among its intended users shall, with high probability, be

In practice, the requirements in Sec. 5.1 should ensure that a key is fresh when it is generated, if

the generation mechanism is resistant to tampering. Achieving such resistance usually imposes

requirements on the management of the key generation mechanism.

In particular, if the key generation mechanism is deterministic, then the management of the

mechanism shall provide strong assurance that no outside entity can induce the repetition of a

previous set of inputs to the mechanism, or otherwise cause the repetition of a previous output.

For example, GCM keys may be established using the key derivation functions of the following

protocols as allowed in [9 ]: Transport Layer Security, Internet Key Exchange v1 and v2, and

Similarly, if a new key must be transported to its intended recipient(s), the method of

transport/distribution shall provide strong assurance against “replay,” so that no party can induce

the substitution of a previous key for the intended key.

GCM keys should be established within the framework of an approved key management

structure to assure their freshness, as well as their confidentiality and authenticity; the details of

such structures are outside the scope of this Recommendation.

This Recommendation provides two frameworks for constructing IVs. The first construction,

described in Sec. 8.2.1 , relies on deterministic elements to achieve the uniqueness requirement in

Sec. 8 ; the second construction, described in Sec. 8.2.2, relies on a sufficiently long output string

from an approved RBG with a sufficient security strength.

For any supported IV length that is strictly less than 96 bits, the construction in Sec. 8 .2.1, shall

be used, across all instances of the authenticated encryption function with the given key.

For any supported IV length that is 96 bits or greater, exactly one of the constructions, but not

both, shall be used, across all instances of the authenticated encryption function with the given

For example, suppose that an implementation supports IV lengths of 64 bits, 96 bits, 128 bits,

and 160 bits. For 64-bit IVs the only choice is the construction in Sec. 8 .2.1. For the other three

IV lengths, one possible combination of choices is the construction in Sec. 8 .2.1 for 96-bit IVs

and the construction in Sec. 8.2.2 for 128-bit and 160-bit IVs.

In the deterministic construction, the IV is the concatenation of two fields, called the fixed field

and the invocation field. The fixed field shall identify the device, or, more generally, the context

for the instance of the authenticated encryption function. The invocation field shall identify the

sets of inputs to the authenticated encryption function in that particular device.

For any given key, no two distinct devices shall share the same fixed field, and no two distinct

sets of inputs to any single device shall share the same invocation field. Compliance with these

two requirements implies compliance with the uniqueness requirement on IVs in Sec. 8 .

If desired, the fixed field itself may be constructed from two or more smaller fields. Moreover,

one of those smaller fields could consist of bits that are arbitrary (ie, not necessarily

deterministic nor unique to the device), as long as the remaining bits ensure that the fixed field is

not repeated in its entirety for some other device with the same key.

Similarly, the entire fixed field may consist of arbitrary bits when there is only one context to

identify, such as when a fresh key is limited to a single session of a communications protocol. In In

this case, if different participants in the session share a common fixed field, then the protocol

shall ensure that the invocation fields are distinct for distinct data inputs.

The invocation field typically is either 1) an integer counter or 2) a linear feedback shift register

that is driven by a primitive polynomial to ensure a maximal cycle length. In either case, the

invocation field increments upon each invocation of the authenticated encryption function.

The lengths and positions of the fixed field and the invocation field shall be fixed for each

supported IV length for the life of the key. In order to promote interoperability for the default IV

length of 96 bits, this Recommendation suggests, but does not require, that the leading (ie,

leftmost) 32 bits of the IV hold the fixed field; and that the trailing (ie, rightmost) 64 bits hold

In the RBG-based construction, the IV is the concatenation of two fields, called the random field

and the free field. For each IV length that is supported by the implementation and used with the

RBG-based construction, the lengths of these fields shall be fixed for the life of the key.

Moreover, the length of the random field shall be at least 96 bits; the free field may be empty.

If i is a supported IV length that is associated to the RBG-based construction, then let r ( i ) denote

the bit length of the random field. The random field shall either consist of 1) an output string of

r ( i ) bits from an approved RBG with a sufficient security strength, or 2) the result of applying the

r ( i )–bit incrementing function to the random field of the preceding IV for the given key. The Die

r ( i )–bit output string from the RBG is called a direct random string, and the random fields that

result from applying the r ( i )–bit incrementing function are called its successors.

There are no requirements on the bits in the free field. For example, they may identify the

device, similar to the fixed field of the deterministic construction, except within the RBG-based

construction these identifiers are not required to be distinct for each device. For any IV length

that is associated to the RBG-construction, the free field is recommended to be empty, so that the

The instantiations of the RBGs in any two distinct devices shall be independent, so that the

distribution of direct random strings across all of the RBG instantiations is expected to be

uniform. For example, if the initialization of the RBG instantiations depends only on a secret

seed, then each instantiation shall be initialized with a distinct seed.

The following requirement applies to all implementations that use either 1) the deterministic

construction with IVs whose length is not 96, or 2) the RBG-based construction, for IVs of any

length. Länge. In other words, unless an implementation only uses 96-bit IVs that are generated by the

The total number of invocations of the authenticated encryption function shall not exceed

, including all IV lengths and all instances of the authenticated encryption function with

This is a “global” requirement that can be achieved by appropriate “local” limits on each

instance of the authenticated encryption function with a given key. For example, suppose an

devices that only support 64-bit, 96-bit, and 128-bit IVs. One Ein

way to satisfy the above requirement would be to limit each device to 2

For the RBG-based construction of IVs, the above requirement, in conjunction with the

requirement that r ( i )≥96, is sufficient to ensure the uniqueness requirement in Sec. 8, as follows

For the deterministic construction, the lengths of the two fields imply two additional operational

constraints. Einschränkungen. These constraints apply to any supported IV length, including 96 bits:

• The bit length of the invocation field limits the number of invocations of the

authenticated encryption function with any given fixed field and key. In particular, if s

denotes the number of bits in the invocation field, then the authenticated encryption

• Similarly, an s -bit fixed field implies a limit of 2

devices/contexts that can implement the authenticated encryption function for the given

9 Practical Considerations for Validating Implementations

Both the designer of a GCM implementation and the information technology (IT) professional

who deploys and maintains it within a particular system have important roles in meeting the

uniqueness requirement in Sec. 8, as discussed in Secs. 9.1 and 9.2 below.

The additional requirements in these two sections are provided for the purpose of demonstrating

compliance with the uniqueness requirement in Sec. 8 w ithin a validation program. Specifically,

analogous to the requirements in Ref. [9] , the requirements in these two sections apply to

implementations that are validated against the requirements of FIPS Pub. 140-2 (Ref. [ 3]) , or any

Implementations that are not validated against the requirements of FIPS Pub. 140-2 may interpret

the requirements in Secs. 9. 1 and 9.2 as recommendations.

In order to inhibit an unauthorized party from controlling or influencing the generation of IVs,

GCM shall be implemented only within a cryptographic module that meets the requirements of

FIPS Pub. 140-2. In particular, the cryptographic boundary of the module shall contain a

“generation unit” that produces IVs according to one of the constructions in Sec. 8.2 above.

The documentation of the module for its validation against the requirements of FIPS 140-2 shall

describe how the module complies with the uniqueness requirement on IVs. At a minimum, the

documentation shall address the considerations in this section, and clearly document the

responsibilities of the IT professional who configures, deploys, and maintains the GCM

The following are three important design considerations for GCM modules:

1. The freshness of keys shall be assured, as discussed in Sec. 8 .1.

2. The IV shall be a critical security parameter as defined in FIPS Pub. 140-2 until the

authenticated encryption function is invoked with the IV. Prior to this invocation, the IV

shall be provided the same protection as other critical security parameters in a module

that is validated to the requirements in FIPS Pub. 140-2.

3. A loss of power to the module shall not cause the repetition of IVs. If the generation unit

cannot recover from a loss of power, then the authenticated encryption function shall

enter a failure state until a fresh key can be established.

The IV construction that is implemented from Sec. 8 .2 above affects the options for recovery

from a loss of power. For the deterministic construction, all of the deterministic elements that

are necessary to construct the IV would have to be available when power is restored. For Für

example, these elements could be stored in non-volatile memory.

When power is restored, neither the preceding IV nor any other previous IV shall immediately be

repeated for the key. One way to avoid such a repetition would be to ensure that the invocation

field value that is periodically stored in the non-volatile memory is always one or more values

One potential advantage of the RBG-based construction is that the RBG may be designed to

recover from a loss of power in a straightforward manner, ie, without requiring action from the

IT professional that maintains the system. For example, the RBG may incorporate a non-

deterministic source of bits that would automatically be available to the RBG when power is

Alternatively, the entire state of the RBG may be stored periodically in non-volatile memory. In In

this case, similar to the deterministic construction, when power is restored, the design shall

ensure that the RBG shall not output strings for use within new IVs until the state of the RBG is

advanced beyond the state that generated the last IV for the key. In other words, the direct

random string for the first new IV shall be, with high probability, different than the direct

random string in any IV that was generated before the loss of power.

Even if the process is not automatic, the IT professional who maintains the system may simply

reinitialize the RBG when power is restored, for example, with a fresh seed. In this case, either

the design of the module or the IT professional that maintains the system shall ensure that

compliance is maintained with the independence condition on the RBGs in Sec. 8 .2.2.

Compliance with the uniqueness requirement on IVs, and hence the security of GCM, ultimately

depends on the IT professional who configures, deploys, and maintains the GCM modules within

a particular system. The documentation for a GCM module shall give the IT professional

detailed instructions that are tailored to the particular design of the module.

The following are some typical operational considerations for the uniqueness requirement:

• Is the configuration of any GCM module, or any operational value, vulnerable to control

• For any given key, how are configuration choices enforced across all modules that ever

• How is the freshness of keys assured, as discussed in Sec. 8.1 ?

• If an implementation does not exclusively use 96-bit IVs that are generated by the

deterministic construction, how is the requirement in Sec 8. 3 on the number of

• As discussed in Sec. 9 .1, how does IV generation within the modules recover from a loss

of power without violating the uniqueness requirement on IVs?

The following considerations are specific to the deterministic construction:

• How are the device identifiers installed into the fixed field so that compliance with the

requirements on the fixed field in Sec. 8 .2.1 is ensured, both for the initially deployed

• Is the length of the invocation field sufficient to support all of the invocations that can

occur in any module during the lifetime of any key, as discussed in the first bullet in Sec.

• For any given key and IV length, is the length of the fixed field sufficient to support the

number of modules that will implement authenticated encryption, as discussed in the

• If the default setting for the lengths of the fixed field and the invocation field can be

altered, then how is the choice enforced across all modules with any given key?

The following consideration is specific to the RBG-based construction:

• How are the RBGs for IV generation initialized so that compliance is ensured with the

independence requirement in Sec. 8 .2.2, for the initially deployed modules and for any

The two categories of implementations that may claim conformance with this Recommendation

Implementations may restrict the bit lengths of the plaintext, AAD, IVs, and authentication tags

that it supports, as discussed in Secs. 5.2.1. 1 and 5.2.1.2 above. Although such restrictions may

affect interoperability, only the elimination of the plaintext altogether, ie, GMAC, is considered

For every algorithm that is specified in this Recommendation, a conforming implementation may

replace the given set of steps with any mathematically equivalent sets of steps. In other words,

different procedures that produce the correct output for any input are permitted.

Appendix A: Importance of the Uniqueness Requirement on IVs

Sec. 8 contains a uniqueness requirement for the IVs of GCM, across all implementations of the

authenticated encryption function with any given key. This appendix summarizes why this

requirement is crucial to the security of GCM, as first described in Ref. [ 5].

The secure operation of a cryptographic algorithm depends not only on the proper

implementation of the steps of the algorithm, but also on the adherence to the associated

requirements. Anforderungen. An obvious example for any symmetric key algorithm is that the key needs to be

kept secret. For GCM, the requirement in Sec. 5 .2.1 for the uniqueness of the IVs is almost as

Consider first the example of the Counter mode requirement in Ref. [ 10] for the counter blocks

to be unique. If this requirement is breached, then the Counter mode encryption function may

fail to provide the expected confidentiality for the data blocks that correspond to the repeating

counter blocks, although the other data blocks are not affected.

The Counter mode decryption function has a vulnerability that is arguably more serious.

Counter-mode ciphertext is “malleable” in the sense that flipping any of its bits will induce the

corresponding bits of the plaintext to flip upon decryption. Therefore, if an adversary knows a

plaintext-ciphertext pair and can induce the decryption function to use the counter blocks from

the known pair, then, by choosing which bits to flip in the known ciphertext, the adversary can

control the result of decryption, up to the length of the known plaintext.

This vulnerability motivates combining the Counter mode encryption mechanism with an

authentication mechanism, such as occurs in GCM. The idea is to prevent the adversary’s

altered ciphertext from being accepted as valid. However, as detailed in Ref. [ 5], the

authentication assurance in GCM crucially depends on the uniqueness of the IVs.

In particular, if IVs are ever repeated for the GCM authenticated encryption function for a given

key, then it is likely that an adversary will be able to determine the hash subkey from the

resulting ciphertexts. The adversary then could easily construct a ciphertext forgery. In In

particular, given the ciphertext and tag outputs for an invocation of the authenticated encryption

function, along with the associated IV and AAD inputs, the adversary could substitute any

ciphertext and AAD strings and use the subkey to generate the valid substitute tag. Although Obwohl

this forgery would use the same IV, in most cases it will not be feasible for the authenticated

decryption function to detect the repetition. Thus, the authentication assurance essentially is lost.

Worse, the loss of authentication means that GCM inherits the problematic malleability of its

Counter mode ciphertext. In the above scenario, knowing the original plaintext that corresponds

to the given ciphertext, the adversary can construct the substitute ciphertext in such a way as to

correspond to any desired plaintext of the same length. In other words, the adversary essentially

could control the plaintext output of the authenticated decryption function.

The creation of an authentication tag by the authenticated encryption function provides the

mechanism whereby assurance of the authenticity of the plaintext and AAD (and IV) can be

obtained upon the execution of the authenticated decryption function. The nature of this

assurance depends on the output of the authenticated decryption function:

• If the output is the plaintext, then the design of the mode provides strong, but not

absolute, assurance that the purported source of the data created the tag, ie, that the

plaintext and the AAD (and the IV and the tag) are authentic. Consequently, the mode

also provides strong assurance that this information was not subsequently altered, either

• If the output is FAIL , then it is certain that at least one of the given inputs (ie, the

ciphertext, the AAD, the IV, or the tag) is not authentic.

In the first case, the assurance is not absolute because forgeries are possible, in principle. In In

other words, an adversary, ie, a party without access to the key or to the authenticated

encryption function, may be able to produce the correct tag for some triple of ciphertext, AAD,

As with any tag-based authentication mechanism, if the adversary chooses a t -bit tag at random,

it is expected to be correct for given data with probability 1/2

adversary can choose tags that increase this probability, proportional to the total length of the

ciphertext and AAD. Consequently, GCM is not well-suited for use with short tag lengths or

In particular, if n denotes the total number of blocks in the encoding (ie, the input to the

GHASH function in the definition of S in Secs. 7. 1 and 7.2 above) of the ciphertext and AAD,

then there is a method of constructing a “targeted” ciphertext forgery that is expected to succeed

. . Moreover, each successful forgery in this attack 1)

increases the probability that subsequent targeted forgeries will succeed, and 2) leaks

information about the hash subkey, H . Eventually, H may be compromised entirely, with

consequences as described at the end of Appendix A: the authentication assurance is completely

Ref. [1] describes the attack, and Ref. [7] gives a detailed treatment of the security properties of

GCM. Appendix C gives guidance and requirements for the use of the two shortest tags sizes, 32

Independent of this attack, an adversary may attempt to systematically guess many different tags

for a given input to authenticated decryption, and thereby increase the probability that one (or

more) of them, eventually, will be accepted as valid. For this reason, the system or protocol that

implements GCM should monitor and, if necessary, limit the number of unsuccessful verification

Moreover, as with most block cipher modes of operation, the security assurance of GCM

degrades as more data is processed with a single key. Therefore, the total number of blocks of

plaintext and AAD that are protected by invocations of the authenticated encryption function

during the lifetime of the key should be limited. A reasonable limit for most applications would

, consistent with the requirement on the number of invocations in Sec. 8 .3.

Appendix C: Requirements and Guidelines for Using Short Tags

For some voice or video applications, short authentication tags can be appropriate. The forgery

of some fraction of the individual authenticated “packets” may be tolerable, because each packet

of data in a large stream may carry very little of the overall meaning.

However, even for voice and video applications, short tags can be problematic for GCM, due to

the targeted forgery attack that is summarized in Appendix B and detailed in Ref. [1] . Absent Abwesend

the requirements and guidelines in this appendix, it may be practical for the attack to produce the

hash subkey, H , after which the authentication assurance is completely lost. Nevertheless, this

Recommendation does not preclude short tags entirely, because knowledgeable security

professionals should be able to manage the risks in connection with this attack, and its potential

The following guidelines implicitly describe the special circumstances that may be appropriate

for short tags. A packet in this context is a set of inputs to the authenticated decryption function.

1. Packets that fail the integrity check within the authenticated decryption function should

be silently discarded. In other words, the controlling protocol/system over which packets

are received should not provide an ACK/NACK response regarding the integrity of

individual packets. However, the receiver should log authentication errors internally—in

a way which is undetectable from side-channel information—and terminate the

connection or notify the user if the percentage of errors exceeds what would be

considered normal. This is standard security practice with any protocol/system and any

2. The AAD within packets should be limited to the necessary header information and

should not contain messages to be authenticated along with the encrypted data.

3. The substance or meaning of the overall message that is comprised of a large number of

packets should not be lost or compromised by the forgery of a single, arbitrary packet.

For example, packets could carry a sequence of snippets of voice or visual data, but an

individual packet should not carry a .txt or .doc file. Ideally, the plaintext data

underlying the encryption should not be so stereotypical as to be guessable.

4. The controlling protocol/system should establish a new GCM key—and thus a new hash

subkey, H —frequently, depending on the maximum combined length of the ciphertext

and AAD that can occur within a single packet. Moreover, for 32-bit tags, this combined

length should be very small—on the order of tens or hundreds of bytes; 64-bit tags extend

the maximum combined length into the millions of bytes.

An example of a protocol that meets these guidelines is Secure Real-time Transport Protocol

carrying Voice over Internet Protocol, running over User Datagram Protocol.

Tables 1 and 2 below quantify the recommendations in Item 4 above, for 32-bit and 64-bit tags,

respectively. jeweils. Each row has two entries: 1) a maximum combined length for the ciphertext and

the AAD in a single packet, in bytes, and 2) a corresponding maximum number of invocations of

the authenticated decryption function, across all instances of the GCM with the given key.

For any implementation that supports 32-bit or 64-bit tags, one of the rows in Table 1 or Table 2,

respectively, shall be enforced. In particular, the supported lengths for the plaintext/ciphertext

and the AAD shall ensure that every valid packet satisfies the length restriction in the row, and

the controlling protocol/system shall ensure that the key is changed before the authenticated

decryption function is invoked more than the maximum that is given in the row. A smaller

Appendix D: Protection Against Replay of Messages

As described in Appendix B, the successful verification of the tag within the authenticated

decryption function gives assurance of the authenticity of the data; however, the party that

presents the input data to the authenticated decryption function may not be the original source of

the plaintext and AAD. In other words, GCM, like many other authentication mechanisms, does

not inherently prevent an adversary from intercepting the output of an invocation of

authenticated encryption and “replaying” it for authenticated decryption at a later time, for

example, in an attempt to impersonate a party that has access to the key. In some protocols an

adversary may even be able to use data that the verifier itself generated earlier in the protocol.

The controlling system or protocol may protect against such an event by monitoring for any

duplication of the IVs that are presented for authenticated decryption. Alternatively, certain

identifying information can be incorporated into the AAD. Examples of such information

include a sequential message number or a timestamp. Upon successful verification of

authenticity, this information may provide a means for the detection of replayed messages, out-

Ferguson, N., Authentication Weaknesses in GCM, Natl. Inst. Inst. Stand. Stehen. Technol. Technol.

[Web page], http://www.csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/

FIPS Publication 197, The Advanced Encryption Standard (AES), US DoC/NIST,

FIPS Publication 140-2, Security Requirements for Cryptographic Modules, US

IEEE P1619.1™/D23, Draft Standard for Authenticated Encryption with Length

A. Joux, Authentication Failures in NIST version of GCM, Natl. Inst. Inst. Stand. Stehen. Technol. Technol.

[Web page], http://www.csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/800-

D. McGrew, J. Viega, The Galois/Counter Mode of Operation (GCM), Natl. Inst. Inst. Stand. Stehen.

Technol. Technol. [Web page] , http://www.csrc.nist.gov/groups/ST/toolkit/BCM/documents/

proposedmodes/gcm/gcm-revised-spec.pdf, May 31, 2005.

D. McGrew and J. Viega. The Security and Performance of the Galois/Counter Mode

(GCM) of Operation. Proceedings of INDOCRYPT '04, Springer-Verlag, 2004. Full

paper available from the IACR Cryptology ePrint Archive: Report 2004/193, [Web

page], http://eprint.iacr.org/2004/193/, October 7, 2004.

National Institute of Standards and Technology and Communications Security

Establishment, Implementation Guidance for FIPS Pub. 140-2 and the Cryptographic

Module Validation Program, Natl. Inst. Inst. Stand. Stehen. Technol. Technol. [Web page], http://csrc.nist.gov/

groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf.

[10] NIST Special Publication 800-38A, 2001 ED, Version 1, Recommendation for Block

Cipher Modes of Operation—Methods and Techniques, December 2001, Natl. Inst. Inst.

Stand. Stehen. Technol. Technol. [Web page] , http://www.csrc.nist.gov/publications/nistpubs/800-38a/