Talk:Galois/Counter Mode

bx******

Well hello to all those super smart people involved in this violations of my basic human rights and intellectual property theft.

I guess you can only block me from reaching any kind of entity that can assist me.

Like Anthony Bates once said to me well that's the avatar that made the statement..

YOU WERE NEVER MEANT TO WAKE UP!!!

Strange statement 🤔.

Yes I'm awake hello 👋..

Merry Christmas 🎅  — Preceding unsigned comment added by 58.109.40.183 (talk) 08:42, 19 December 2023 (UTC)

Performance
The performance section should include the initialization cost. If the figure on this page is accurate, there would be one additional block cipher operation, and two more GF mults. Also, if the size of the IV is not 96 bits, you have to compute a GHASH.


 * The number will depend on the deinition of the initialization and the architecture of the overall system. One more cipher operation might be necessary to calculate H. Dimawik 01:25, 31 August 2006 (UTC)

Block cipher?
Does GCM need a block cipher or will a stream cipher work as well? It doesn't seem to require invertability of the underlying cipher to decrypt packets. Is this necessary for any of the security proofs? 198.205.32.94 13:32, 29 August 2006 (UTC)
 * Effectively, it is just using the cipher in CTR mode. I don't know why off hand you can't use a stream cipher.  Though through things like SP800-38D [iirc] it's being specified in the context of using AES. 209.217.122.41 16:06, 24 January 2007 (UTC) Tom St Denis
 * Yes, Galois/Counter Mode needs a block cipher, because you cannot run a stream cipher in counter mode, by definition. You can combine a stream cipher with a MAC based on polynomial multiplication in general, in fact, Google in particular does this a lot, but it will not be reasonable to call it GCM. Also, ChaCha20 can actually be likened to a block cipher in counter mode (because of the "Pos" words). The block "encryption" is not invertible, but that is not needed in counter mode either. Aragorn2 (talk) 12:20, 9 July 2019 (UTC)

Page move?
Should this page be moved to Galois/counter mode? Is this just another case of someone not knowing that you're not supposed to capitalize an initial letter merely beause it's in an article title? Or A Case Of A Computer Science Person Not Knowing That It Is Sometimes Permissible To Start A Word With A Lower-Case Letter? Or is it really obligatory to use capitals in this phrase? Michael Hardy (talk) 19:03, 2 August 2008 (UTC)
 * - Its called Galois/Counter Mode (GCM) in the specification. Looks like crypto modes are usually done with title caps. Bradhards (talk) 04:34, 11 April 2010 (UTC)
 * I have created the article with the current capitalization and simply copied it from the definition. CCM mode is capitalized differently, so feel free to move. Dimawik (talk) 04:56, 11 April 2010 (UTC)

Description
The algorithm should probably define u and v (per NIST 800-38D Algorithm 4 Step 4), but it is already feeling a bit too technical. Not sure of the best way to express this.Bradhards (talk) 04:34, 11 April 2010 (UTC)

Forging probability
The given probability of (n/2)^128 for a message of n*128 bits length can't be correct, as for a 256 bit message, the probability would reach 1.0 and even exceed this value for lengths >256 Bits. However, I can't appropriately describe the forging probability from the paper. Any clarification would be appreciated. --2001:4DD0:FF00:20:0:0:0:2 (talk) 14:38, 9 January 2014 (UTC)

String of zeros
"where H is a string of 128 zeros" The input  to the   function is described as a "string of 128 zeros". I suspect what is meant is "128 zero bits", right? Otherwise, I would interpret this as a sequence of 128  bytes (character "0") followed by one   byte to terminate the string. That just feels like a very odd choice.

—octo 06:46, 17 February 2014 (UTC) — Preceding unsigned comment added by Octotron (talk • contribs)

Unclear Opening Sentence
I've just read the opening sentence three times and I'm not sure what it's trying to mean, so I've tried to break down the sentence by transforming it a few times:


 * GCM throughput rates for state of the art, high speed communication channels can be achieved with reasonable hardware resources
 * (GCM throughput rates) for (state of the art, high speed communication channels) (can be achieved) with (reasonable hardware resources)
 * (reasonable hardware resources) (can achieve) (GCM throughput rates) for (communication).
 * (hardware) (can communicate at) (GCM throughput rates)

So, the rate at which GCM can read in and output encrypted data is the limiting factor for communication encrypted with GCM. ...Otherwise it wouldn't be a communication encrypted with GCM.

What's the point of that sentence, aside from adding filler? What's the author trying to say, and can we say it more clearly? -- 2620:72:0:41C:5007:55A:7C13:F2BA (talk) 19:25, 5 December 2014 (UTC)


 * I think it's trying to say that GCM can keep up with the speeds of current network hardware. But I agree that's a very vague way of saying it.
 * What distinguishes GCM from more classical authentication systems like HMAC is that it incurs much less overhead by piggybacking authentication on the same cipher as used for encryption, I guess that's the actual point. -- intgr [talk] 22:53, 5 December 2014 (UTC)

GHASH formula
The function len is not defined. I would guess that it yields a 64-bit value that is the length of the parameter. Is it the length in blocks, the length in bits, or something else? Is it big-endian?

The whole formulation looks really awkward. How about something along these lines:

Let S be zero_block || pad(A) || pad(C) || len64(A) || len64(C) -- a sequence of 128-bit blocks (first subscript 1) Let X[i] = zero_block  for i = 0 (X[i-1] xor S[i]). H   for i <= length(s)

zero_block, len64 and pad have the obvious meanings, but must be spelled out.

If it is really true that only X[i] is of interest, then this can be made even more clear.

GHASH(H, A, C) = f(pad(A) || pad(C) || len64(A) || len64(C)) where f(empty) = zero_block and f(sequence || block) = (f(sequence) xor block). H DHR (talk) 22:30, 29 November 2015 (UTC)

Basic Operation
"The Galois Mult function then combines the ciphertext with an authentication code [...]" The term "authentication code" is confusing. It does not appear in the diagram, and its use in the specification contradicts the sentence above.

"The encrypted text then contains the IV, cipher text, and authentication code." To my understanding that should rather be "The encrypted text then contains the IV, cipher text, and authentication tag."

Similar security properties to an HMAC?
"The Galois Mult function then combines the ciphertext with an authentication code in order to produce an authentication tag that can be used to verify the integrity of the data. The encrypted text then contains the IV, cipher text, and authentication code. It therefore has similar security properties to an HMAC." I think this is wrong and misleading. Unlike GCM a HMAC does not have the 64GiB limit and most importantly it is not susceptible to nonce-reuse attacks. If nobody objects I will delete this sentence. KizzyCode (talk) 00:01, 3 July 2018 (UTC)
 * Agreed. KMeyer (talk) 19:32, 9 September 2018 (UTC)

Capitals
User:Michael Hardy hmm, algorithm or proper name/standard? Topic seems WP:COMMONNAME GCM, but normally capitalised Galois/Counter Mode. Other modes and similar things seem to be commonly capitalised in sources, e.g. Poly1305. I can see it both ways. Widefox ; talk 23:28, 5 September 2018 (UTC)
 * No discussion, so undid pending consensus for such a move, especially as many of these articles are capital. Widefox ; talk 13:40, 8 September 2018 (UTC)
 * Yep. Seems to be capitalized everywhere I look, e.g. NIST and gscholar. Suffusion of Yellow (talk) 16:14, 8 September 2018 (UTC)

Mathematical Description is unintelligible to a non-expert
What is X? Is the output a string of blocks, X0, X1, etc.? In which case I am sure that the first block is not always 0 as suggested by the description. And when I was at school 0^x = 0, always.

One should not need to be an expert in Finite Field notations to understand the basic algorithm. Tuntable (talk) 01:07, 10 October 2018 (UTC)

"GCM encryption operation" schematic counter error ?
Regarding NIST SP 800-38D, the counter start at 1, not at 0. So tag is xored with Ek(Counter = IV||1), and the first data packet is xored with Counter IV||2, next with Counter IV||3 etc... Perhpas, it's could be more clear if the schematic will be updated with counter 1, counter 2, counter 3 instead of counter 0, counter 1, counter 2 ? — Preceding unsigned comment added by 91.158.238.138 (talk • contribs)


 * I agree, the figure should be fixed. I wasted nearly an hour and half trying to fix a problem in my QUIC payload decryption. I tried various counters for the first data block: first 1 then 0. After hour and half, I gave up and cheated: I checked my implementation against another GCM implementation and saw they differed. Then I noticed my implementation generated the correct stream but later, and found that I have to start counting from 2 if I start from data blocks (the authentication uses the counter 1). Then I checked if this is really the case, looked at another GCM implementation source code, and indeed, the authentication uses counter 1 and data starts from counter 2. 91.158.238.138 (talk) 17:04, 25 September 2022 (UTC)

Differences for 256-bit version?
The article discusses the 128-bit version. It would be nice to know how IV is aligned for the 256-bit version which is gaining popularity. — Preceding unsigned comment added by 2603:8001:b300:b900:7285:c2ff:fe57:7727 (talk • contribs)
 * GCM-256 uses a 256-bit key. Everything else stays the same. --Dimawik (talk) 22:04, 27 December 2022 (UTC)

Silicon labs
There is a paragraph in our article dedicated to the adoption of GCM by Silicon Labs, with source being the company blog. Since most chipmakers in the universe use GCM for the very same reasons, perhaps, this text should be deleted. Dimawik (talk) 17:14, 17 October 2023 (UTC)