Re: Padding twice in GCM - why?
- From: tom@xxxxxxx
- Date: Wed, 8 Apr 2009 06:13:17 -0700 (PDT)
On Apr 8, 8:58 am, TRNG <T...@xxxxxxxxxxxxxxxxxx> wrote:
Hi,
In the GHASH calcuation in GCM, the input to the GF multiplier is padded
to a block boundary with zeros *twice*, first at the end of the
"AAD" (authenticated but not encrypted data), and then again at the end
of the ciphertext.
I can understand that the concatenation of the AAD and ciphertext must be
padded to match the block size, but this could be achieved with just one
lot of padding at the end of the ciphertext.
Questions:
1. Is there a security advantage to padding twice? (Or, put another
way, if the padding at the end of AAD was removed, would there be any
reduction in the security?)
Or is it just an implementation thing?
Padding (unless it includes non-static elements) has no real
implications in security.
2. If it is just an implementation thing, can someone please suggest a
reason why padding twice would be simpler than padding once, particularly
with respect to high-speed hardware designs?
It's a matter of practicality. The goal was to make adding IV, AAD,
and plaintext be distinct phases so your GFM can be pipelined. If you
needed to wait a cycle so you can coalesce plaintext and AAD [or AAD
and IV] it'd waste time.
Even in software though it's handy. In LTC for example, GCM operates
in "modes" (much like states in a FSM) and it transitions from IV to
AAD to PT modes as you progress, at each transition point the GHASH
computation is "up to date" so that the next stage need not really
concern it self with the previous.
Tom
.
- References:
- Padding twice in GCM - why?
- From: TRNG
- Padding twice in GCM - why?
- Prev by Date: Padding twice in GCM - why?
- Next by Date: Re: Padding twice in GCM - why?
- Previous by thread: Padding twice in GCM - why?
- Next by thread: Re: Padding twice in GCM - why?
- Index(es):
Relevant Pages
|
