diff --git a/src/encryption/symmetric/modes/README.md b/src/encryption/symmetric/modes/README.md index df0d691..62f117b 100644 --- a/src/encryption/symmetric/modes/README.md +++ b/src/encryption/symmetric/modes/README.md @@ -38,7 +38,7 @@ m2-->xor2 ## GCM: Galois/Counter Mode GCM is a block cipher mode of operation that provides both confidentiality and authentication. -To provide confidentiality, it uses CTR mode for encryption and decryption. +To provide confidentiality, it uses Counter(CTR) mode for encryption and decryption. To provide authentication, it uses a universal hash function, GHASH. Authentication is provided not only for confidential data but also other associated data. @@ -54,26 +54,47 @@ In the figure, we have taken - Additionally Authenticated Data(AAD) is of `2 * 128-bit = 248 bits or 32 bytes`. ![GCM](./figure_full_gcm.svg) +*Note: The yellow diamonds represent functions/algorithms, the small rectangle with a blue outline represents 128-bit blocks.* +Also, +- *Enc(K)*: The encryption operation of the cipher used, for example AES, under the key K. +- *incr*: The increment function, which treats the rightmost 32-bit of the block as an unsigned integer and increments it by 1. If you look at the figure carefully, you will notice that the GCM mode is composed of two main parts: - Encryption: This part is the same as the CTR mode of operation, with minor changes to the counter block. - Authentication: In this part, we generate an authentication tag for the ciphertext and some additional data, which we refer to as Additionally Authenticated Data(AAD). -The authentication algorithm itself has two parts. -- GHASH: We hash the ciphertext along with AAD. This can be viewed as a series of `ADD and MULTIPLY`, mathematically, $J_{i} = ( J_{i-1} \oplus X_{i} ) * H$ -- The GHASH value is XOR-ed with the encryption of `Counter Block 0` to generate the final tag. +The counter block is the same as in CTR mode. In general, it can be thought of as a 96-bit nonce value followed by a 32-bit counter value. + +The tag is generated by XOR of: +1. Hash of ciphertext and AAD, using GHASH algorithm +2. Encryption of Counter block 0. + +### GHASH + +The GHASH algorithm can be viewed as a series of `ADD and MULTIPLY` in $GF(2^{128})$. Mathematically put the basic operation of GHASH is, + +$$ +X_{i} = +\begin{cases} +0 & \quad i = 0 \\ +( X_{i-1} \oplus B_{i} ) * H & \quad \text{otherwise} +\end{cases} +$$ + +$B_{i}$ represents blocks of AAD followed by blocks of ciphertext followed by special length block. +The length block consists of 64-bit lengths(in bits) of AAD and ciphertext. The interesting thing to note here is that the multiplication($*$) and addition($\oplus$) are operations of the Galois(finite) field of order $2^{128}$. -A brief summary of finite field arithmetic is, -- The elements of the field can be represented as polynomials. +A brief summary of finite field arithmetic, +- The elements of the field are represented as polynomials. Each bit of the 128-bit block represents coefficients of a polynomial of degree strictly less than 128. - Addition in a finite field is equivalent to bitwise XOR. -- Multiplication in a finite field is the multiplication of corresponding polynomials divided by an irreducible reducing polynomial. +- Multiplication in a finite field is the multiplication of corresponding polynomials modulo an irreducible reducing polynomial. -In GCM the reducing polynomial is $f = 1 + x + x^2 + x^7 + x^128$ +In GCM the reducing polynomial is $f = 1 + x + x^2 + x^7 + x^{128}$ If you want to read about Finite Field, the Wikipedia article on [Finite Field Arithemtic](https://en.wikipedia.org/wiki/Galois/Counter_Mode) is pretty good! -Authenticated decryption operation is identical to authenticated encryption, except the tag is generated before the decryption. +The authenticated decryption operation is identical to authenticated encryption, except the tag is generated before the decryption. ## Next Steps Implement more modes, and subsequent attacks/vulnerabilities: