GCM implementations of Camellia-128 and SMS4 by optimizing the polynomial multiplier

Abstract

In some scenarios, the cryptographic primitives should support more than one functionality. Authenticated Encryption/Verified Decryption (AEVD) combines encryption and authentication at the same time, which is useful in communication protocols (DNS, IPSEC, etc.). Nevertheless, authenticated encryption needs some optimizations to ensure fast performance. One solution could be the use of the Galois Counter Mode (GCM) scheme. To reach fast performances, this work broadens some GCM models described in Chakraborty et al.’s [D. Chakraborty, C. Mancillas Lopez, F. Rodriguez Henriquez, P. Sarkar, Efficient hardware implementations of BRW polynomials and tweakable enciphering schemes, Comput IEEE Trans 62 (2) (2013) 279–294, doi:10.1109/TC.2011.227] work with two changes. The first one is focused on speeding-up the polynomial multiplier necessary to perform the authentication process. That polynomial multiplier is extended for supporting four stages, based on the well-known Karatsuba–Ofman algorithm. The second one is the modification of two known block ciphers such as Camellia-128 and SMS4 with the GCM scheme. The constructed GCM is able to support variable-length messages greater than 512 bits. The throughput of the polynomial multiplier is greater than 28 Gbps for all the tested platforms. The independent block ciphers in encryption-only mode reach a throughput greater than 28 Gbps, and for all the GCM cases reported in this manuscript the throughput is greater than 9.5 Gbps.

Introduction

Several applications need to support authentication and integrity tasks. Mainly, those which need to ensure that a message has been received without modifications during the communication process. Public key cryptography might be a solution, but due to its computation cost it cannot be useful. In real application, public key cryptography is complemented with fast symmetric cryptographic primitives as we can find in the Socket Security Layer (SSL) protocol, where a stage based on public key cryptography establishes a symmetric key session and authentication of the pairs using digital certificates. After that, symmetric encryption is used to encrypt and authenticate the communication until the SSL session finishes. Then, it is necessary to develop new strategies to ensure the integrity and privacy of a message depending on a given scenario. One of them is the proposed by McGrew and Viega, denoted as Galois Counter Mode operation (GCM) [17], which offers this two services. In addition to that properties, the GCM is aimed at scenarios where speed is the main constraint to be optimized. Some examples can be found in communication systems like wired and wireless networks, optic fiber, digital TV, etc.

The main feature that the GCM schemes hold is the use of universal hashing constructed with polynomial multipliers. Their use is associated to some desirable properties: scalability and versatility. The former refers that the use of a polynomial multiplier does not increase the complexity of the complete cryptographic primitive/algorithm related to efficiency and performance. The latter means that a polynomial multiplier can be arranged into different architectures either sequential, parallel or pipeline. Additionally, the use of a key enhances the hashing properties of this scheme.

The content of this manuscript is divided as follows. Section 2 lists the different AEVD schemes. Section 3 describes the mathematical operations involved in Camellia-128 and SMS4. Section 4 refers to the typical GCM schemes. Section 5 lists works regarding Camellia-128 and SMS4 into GCM schemes and additional examples with the Advanced Encryption Standard (AES). Section 6 describes the pipeline versions of Camellia-128, SMS4 and their inclusion into the GCM scheme. Section 7 describes the results of the GCM schemes and Section 8 summarizes the conclusions of this work.

Let X and Y be binary strings, X||Y is their concatenation and |X| is the length of X in bits. $A=A_1\parallel A_2\parallel ...\parallel A_m,$$P=P_1\parallel P_2\parallel ...\parallel P_t$ and $C=C_1\parallel C_2\parallel ...\parallel C_t$ are associated data, plaintext and ciphertext respectively. $|A_j|=|P_i|=|C_i|=n$ for 1 ≤ j < m, 1 ≤ i < t. For last blocks |A_m| ≤ n and $|P_t|=|C_t|\le n,$ they can also be treated as polynomials in GF(2ⁿ). E_K(X) is the encryption of X using the underlying block cipher with key K, and the block size is n. MSB_u(X) refers to the u most significant bits of X. {x}^q refers to a sequence of q bits, where x ∈ {0, 1}. In this work $n=128$.