1

While examining the initial GCM specification by McGrew and Viega in 2005, it appears that the formation of the 128-bit Initialization Vector by combining a 96-bit nonce and a 32-bit unsigned wrapping counter seems somewhat random. This choice results in a repetition of the scrambling pattern every 2^32 16-byte blocks. During the analysis, it is puzzling why they subtracted 256 bits from 2^39 instead of utilizing 2^7 * 2^32 = 2^39 for the calculation. This decision to subtract 256 bits deviates from the expected outcome based on a straightforward multiplication of 2^7 and 2^32, resulting in 2^39.

xyz
  • 21
  • 1

1 Answers1

2

Let's assume that GCM is used with a default sized IV: a 12 byte nonce. Let's, for demonstration purposes, assume that we start off with an IV / nonce set to all-zero.

The first steps in GCM show how:

  1. Let $H = \operatorname{CIPH}_K(0^{128})$ - this is identical to the encryption of an all zero counter if the IV / nonce is set to all zeros;
  2. If $\operatorname{len}(IV)=96$, then let $J_0 = IV \| 0^{31} \|1$ - so here the initial counter for CTR mode is set to value 1;
  3. Let $C=\operatorname{GCTR}_K(\operatorname{inc32}(J_0), P)$.
  4. ...
  5. ...
  6. Let $T=\operatorname{MSB}_t(GCTR_K(J_0, S))$ - and here are the rest of the counter values used.

So as you can see, the first block of all zero is used in step 1 if the IV is all zero, and the second counter counter calculated in step 2 is used to encrypt the value $S$ in step 6, which is the outcome of the GHASH over the ciphertext and the additional data.

This removes two 128 bit blocks or 256 bits from the total amount of bits available for the key stream generated by the counter mode, and as many bits from the plaintext that can be kept confidential by a single call to GCM.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323