Efficient implementation of the Galois Counter Mode using a carry-less multiplier and a fast reduction algorithm

https://doi.org/10.1016/j.ipl.2010.04.011Get rights and content

Abstract

This paper describes a new method for efficient implementation of the Galois Counter Mode on general purpose processors. Our approach is based on three concepts: a) having a 64-bit carry-less multiplication instruction in the processor; b) a method for using this instruction to efficiently multiply binary polynomials of degree 127; c) a method for efficient reduction of a binary polynomial of degree 254, modulo the polynomial x128+x7+x2+x+1 (which defines the finite field of the Galois Counter Mode). The two latter concepts can be used for writing an efficient and lookup-table free software implementation of the Galois Counter Mode, for processors that have a carry-less multiplication instruction. Our approach uses only a generic carry-less multiplication instruction, without any field-specific reduction logic, making the instruction applicable to multiple use cases, and therefore an appealing addition to the instruction set of a general purpose processor. This research played a significant role in the process that eventually led to adding a carry-less multiplication instruction (called PCLMULQDQ) to the Intel Architecture. PCLMULQDQ and six AES instructions are introduced in the new 2010 Intel Core processor family, based on the 32 nm Intel microarchitecture codename “Westmere”. On the new Westmere processors, the software that implements the methods described here, computes AES-GCM more than six times faster than the current, lookup table-based, state-of-the-art implementation. This new capability adds motivation to using AES-GCM for high performance secure networking.

References (19)

  • M. Dworkin

    Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) for confidentiality and authentication

  • IEEE 802.1AE – Media Access Control (MAC) security

  • J. Viega et al.

    The use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)

  • IEEE project 1619.1 home

  • The fibre channel security protocols project

  • T. Dierks et al.

    The TLS protocol version 1.2

  • C.H. Lim, P.J. Lee, More flexible exponentiation with precomputation, in: Advances in Cryptography (CRYPTO'94), 1997,...
  • J. Lopez et al.

    High speed software multiplication in F2m

  • Brian Gladman

    AES and combined encryption/authentication modes

There are more references available in the full text version of this article.

Cited by (33)

  • EliMAC: Speeding Up LightMAC by around 20%

    2023, IACR Transactions on Symmetric Cryptology
  • A New Interpretation for the GHASH Authenticator of AES-GCM

    2023, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
  • Fast: Disk encryption and beyond

    2022, Advances in Mathematics of Communications
  • Parallel Verification of Serial MAC and AE Modes

    2022, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
View all citing articles on Scopus
View full text