Galois Counter Mode (GCM) is an operation mode for the authenticated encryption block cipher system. The main feature of GCM is that GCM is fast, and provides confidentiality and integrity. GCM-Advanced Encryption Standard (GCM-AES) is among the most commonly seen, and is often applied to high speed transmission environment.
The data encryption of GCM is accomplished by a Counter (CTR) mode, and the authentication is achieved by a universal hash function based on Galois Field (GF). The authenticated encryption has four inputs, namely, secret key K, initialization vector IV, plaintext P, and additional authenticated data (ADD) A. P is divided into 128-bit blocks, expressed as {P1, P2, . . . , Pn*}, and A is divided into 128-bit blocks, expressed as {A1, A2, . . . , Am*}, where blocks Pn* and Am* are shorter than 128 bits.
The authentication and encryption has two outputs, namely, ciphertext C and authentication tag T. The ciphertext C has the same length with plaintext P, and the length of authentication tag T is denoted as t. The two outputs C and T are obtained via the following procedures:
                              H          =                      E            ⁡                          (                              K                ,                                  0                  128                                            )                                      ⁢                                  ⁢                              Y            0                    =                      {                                                                                                                                                        IV                          ⁢                                                                                                                                                                                  0                                  31                                                                ⁢                                1                                ⁢                                                                                                                                  ⁢                                if                                ⁢                                                                                                                                  ⁢                                                                  len                                  ⁡                                                                      (                                    IV                                    )                                                                                                                              =                              96                                                                                                                                                                                                                                                GHASH                            ⁡                                                          (                                                              H                                ,                                                                  {                                  }                                                                ,                                IV                                                            )                                                                                ⁢                                                                                                          ⁢                          otherwise                                                                                                      ⁢                                                                          ⁢                                      Y                    i                                                  =                                                                            incr                      ⁡                                              (                                                  Y                                                      i                            -                            1                                                                          )                                                              ⁢                                                                                  ⁢                    for                    ⁢                                                                                  ⁢                    i                                    =                  1                                            ,              …              ⁢                                                          ,                                                n                  ⁢                                                                          ⁢                                      C                    i                                                  =                                                                            P                      i                                        ⊕                                                                  E                        ⁡                                                  (                                                      K                            ,                                                          Y                              i                                                                                )                                                                    ⁢                                                                                          ⁢                      for                      ⁢                                                                                          ⁢                      i                                                        =                  1                                            ,              …              ⁢                                                          ,                                                n                  -                                      1                    ⁢                                                                                  ⁢                                          C                      n                      *                                                                      =                                                                            P                      n                      *                                        ⊕                                                                                            MSB                          u                                                ⁡                                                  (                                                      E                            ⁡                                                          (                                                              K                                ,                                                                  Y                                  n                                                                                            )                                                                                )                                                                    ⁢                                                                                          ⁢                      T                                                        =                                                            MSB                      t                                        ⁡                                          (                                                                        GHASH                          ⁡                                                      (                                                          H                              ,                              A                              ,                              C                                                        )                                                                          ⊕                                                  E                          ⁡                                                      (                                                          K                              ,                                                              Y                                0                                                                                      )                                                                                              )                                                                                                                              (        1        )            where E(K,X) denotes the block cipher encryption of the value X with the key K. MSBt(S) returns the bit string containing only the leftmost t bits of S. { } represents the empty bit string, whose length is zero. 0n denotes an n-bit zero sequence. The function incr( ) represents treating the least significant 32 bits on the right as a non-negative integer, adding 1, and then performing the modulo operation mod 232. In other words, incr(F∥I)=F∥(I+1)mod 232.
GHASH function is an operation of GCM. The function has three inputs, and generates a 128-bit hash value. The three inputs are A, C and H, where H is the value obtained by using the secret key K to encrypt the all-zero blocks. The following equation describes the output Xi in i-th step of GHASH function.
                              X          i                =                  {                                                                                          0                    ⁢                                                                                  ⁢                    for                    ⁢                                                                                  ⁢                    i                                    =                  0                                                                                                                                                                                                  (                                                                                    X                                                              i                                -                                1                                                                                      ⊕                                                          A                              i                                                                                )                                                ·                        H                                            ⁢                                                                                          ⁢                      for                      ⁢                                                                                          ⁢                      i                                        =                    1                                    ,                  …                  ⁢                                                                          ,                                      m                    -                    1                                                                                                                        (                                                                                    X                                                  m                          -                          1                                                                    ⊕                                                                                                    (                                                                                          A                                m                                *                                                            ⁢                                                                                                                                0                                                                      128                                    -                                    v                                                                                                  )                                                                                      )                                                    ·                          H                                                ⁢                                                                                                  ⁢                        for                        ⁢                                                                                                  ⁢                        i                                                              =                    m                                                                                                                                                                                                                    (                                                                                    X                                                              i                                -                                1                                                                                      ⊕                                                          C                                                              i                                -                                m                                                                                                              )                                                ·                        H                                            ⁢                                                                                          ⁢                      for                      ⁢                                                                                          ⁢                      i                                        =                                          m                      +                      1                                                        ,                  …                  ⁢                                                                          ,                                      m                    +                    n                    -                    1                                                                                                                        (                                                                                    X                                                  m                          +                          n                          -                          1                                                                    ⊕                                                                                                    (                                                                                          C                                n                                *                                                            ⁢                                                                                                                                0                                                                      128                                    -                                    u                                                                                                  )                                                                                      )                                                    ·                          H                                                ⁢                                                                                                  ⁢                        for                        ⁢                                                                                                  ⁢                        i                                                              =                                          m                      +                      n                                                                                                                                            (                                                                                    X                                                  m                          +                          n                                                                    ⊕                                                                                                    (                                                                                          len                                ⁡                                                                  (                                  A                                  )                                                                                            ⁢                                                                                                                                len                                  ⁡                                                                      (                                    C                                    )                                                                                                  )                                                                                      )                                                    ·                          H                                                ⁢                                                                                                  ⁢                        for                        ⁢                                                                                                  ⁢                        i                                                              =                                          m                      +                      n                      +                      1                                                                                                                              (        2        )            
In equation (2), v is the bit length of block Am*, ⊕ is the addition over GF(2128), and the multiplication is defined in GF(2128). A∥B represents the concatenation of two bit strings A and B.
In equation (2), GHASH function may be realized with the hardware architecture of FIG. 1. In FIG. 1, the core of the GHASH hardware architecture is a 128-bit parallel GF(2128) multiplier 101. The initial value of the hash value in register X is set to 0. In the first m clock cycles, the m blocks A1, A2, . . . , Am* are substituted into the right part of the equation one by one. Then, in the next n clock cycles, the n 128-bit blocks C1, C2, . . . , Cn−1, Cn of ciphertext C are substituted into the right part of the equation on the third line of (2). In the last cycle clock, len(A)∥len(C) is substituted into the right part of the equation of the last line of (2). By using the hardware architecture, m+n+1 clock cycles are required to compute the hash value.
As shown in FIG. 1, the temporary result Xi will be XOR-ed with the next input to AC register, and the result is feedback to the AC register to generate the next operand of GF(2128) multiplier 101. The other operand of GF(2128) multiplier 101 is H, which is stored in the H register.
In May 2005, D. A. McGrew et. al. disclosed the operation mode of GCM, in which a 64-bit or 128-bit block encryption is used simultaneously to provide authentication and encryption.
The papers by B. Young et. al. in June 2005 and by A. Satoh in May 2006 also disclosed a high-speed architecture to realize GCM-AES. Both architectures require m+n+1 clock cycles to execute the GHASH operation in GCM. Wherein n is the length of ciphertext and m is the length of authenticated data. The m+n+1 clock cycles may result in the latency of hardware.
U.S. Patent Publication No. 2006/0126835 disclosed a high-speed GCM-AES block cipher apparatus and method. The GCM-AES block cipher apparatus is realized with four modules, as shown in FIG. 2, namely, key expansion module 201, 8-round CTR-AES block cipher module 203, 3-round CTR-AES block cipher module 205, and GF(2128) multiplication module 207. The data to be encrypted is from 32/128-bit transformer 210. The encrypted data is inputted to 128/32-bit transformer 220.
The block encryption apparatus may be operated in 125 MHz low clock frequency, and provide a 2-Gbps link security function of an optical line termination (OTL) and an optical network unit (ONU) of an Ethernet passive optical network (EPON).