Are you an EPFL student looking for a semester project?

Work with us on data science and visualisation projects, and deploy your project as an app on top of GraphSearch.

Concept

Galois/Counter Mode

Summary

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources. The GCM algorithm provides both data authenticity (integrity) and confidentiality and belongs to the class of authenticated encryption with associated data (AEAD) methods. This means that as input it takes a key K, some plaintext P, and some associated data AD; it then encrypts the plaintext using the key to produce ciphertext C, and computes an authentication tag T from the ciphertext and the associated data (which remains unencrypted). A recipient with knowledge of K, upon reception of AD, C and T, can decrypt the ciphertext to recover the plaintext P and can check the tag T to ensure that neither ciphertext nor associated data were tampered with. GCM uses a block cipher with block size 128 bits (c

Official source

https://en.wikipedia.org/wiki/Galois/Counter_Mode

About this result

This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.

Related publications (3)

Related publications

Related people (1)

Related people

Related units (1)

Related units

Related concepts (13)

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messa

CCM mode (counter with cipher block chaining message authentication code; counter with CBC-MAC) is a mode of operation for cryptographic block ciphers. It is an authenticated encryption algorithm des

In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protoc

Related concepts

Related courses (3)

This is an introductory course to computer security and privacy. Its goal is to provide students with means to reason about security and privacy problems, and provide them with tools to confront them.

A decentralized system is one that works when no single party is in charge or fully trusted. This course teaches decentralized systems principles while guiding students through the development and testing of their own decentralized system incorporating messaging, encryption, and blockchain concepts.

This course introduces the basics of cryptography. We review several types of cryptographic primitives, when it is safe to use them and how to select the appropriate security parameters. We detail how they work and sketch how they can be implemented.

Related courses

Related lectures (5)

Related lectures

, , ,

To mitigate state exposure threats to long-lived instant messaging sessions, ratcheting was introduced, which is used in practice in protocols like Signal. However, existing ratcheting protocols generally come with a high cost. Recently, Caforio et al. proposed pragmatic constructions, which compose a weakly secure 'light' protocol and a strongly secure 'heavy' protocol, in order to achieve so-called ratcheting on-demand. The light protocol they proposed has still a high complexity. In this paper, we propose the lightest possible protocol we could imagine, which essentially encrypts and then hashes the secret key. We prove it secure in the standard model by introducing a new security notion, which relates symmetric encryption with key updates by hashing. Our protocol composes well with the generic transformation techniques by Caforio et al. to offer high security and performance at the same time. In a second step, we propose another protocol based on a newly defined integrated primitive, extending standard one-time authenticated encryption with an additional output block used as a secret key for the next message. We instantiate this primitive firstly from any authenticated encryption with associated data, and then we propose an efficient instantiation using advanced encryption standard (AES) encryption to update the key and AES-Galois/Counter mode of operation to encrypt and decrypt messages.

OXFORD UNIV PRESS2022

The Competition for Authenticated Encryption: Security, Applicability and Robustness (CAESAR) has as its official goal to “identify a portfolio of authenticated ciphers that offer advantages over [the Galois-Counter Mode with AES]” and are suitable for widespread adoption.” Each of the 15 candidate schemes competing in the currently ongoing 3rd round of CAESAR must clearly declare its security claims, i.e. whether it can tolerate nonce misuse, and what is the maximal data complexity for which security is guaranteed. These claims appear to be valid for all 15 candidates. Interpreting “Robustness” in CAESAR as the ability to mitigate damage when security guarantees are void, we describe attacks with 64-bit complexity or above, and/or with nonce reuse for each of the 15 candidates. We then classify the candidates depending on how powerful does an attacker need to be to mount (semi-)universal forgeries, decryption attacks, or key recoveries. Rather than invalidating the security claims of any of the candidates, our results provide an additional criterion for evaluating the security that candidates deliver, which can be useful for e.g. breaking ties in the final CAESAR discussions.

2018

, ,

We propose pure OMD (p-OMD) as a new variant of the Offset Merkle-Damgård (OMD) authenticated encryption scheme. Our new scheme inherits all desirable security features of OMD while having a more compact structure and providing higher efficiency. The original OMD scheme, as submitted to the CAESAR competition, couples a single pass of a variant of the Merkle-Damgård (MD) iteration with the counter-based XOR MAC algorithm to provide privacy and authenticity. Our improved p-OMD scheme dispenses with the XOR MAC algorithm and is purely based on the MD iteration; hence, the name ``pure'' OMD. To process a message of

\ell

blocks and associated data of

a

blocks, OMD needs

\ell+a+2

calls to the compression function while p-OMD only requires max{

\ell, a

2

calls. Therefore, for a typical case where

\ell \geq a

, p-OMD makes just

\ell+2

calls to the compression function; that is, associated data is processed almost freely compared to OMD. We prove the security of p-OMD under the same standard assumption (pseudo-randomness of the compression function) as made in OMD; moreover, the security bound for p-OMD is the same as that of OMD, showing that the modifications made to boost the performance are without any loss of security.

Springer2015

, ,

\ell