Python Implementation
def pad(data):
p = 16 - len(data) % 16
return data + bytes([p]) * p
def unpad(data):
if not all([x == data[-1] for x in data[-data[-1]:]]):
raise ValueError
return data[:-data[-1]]
GCM Mode Encryption
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf
a59c…0002
a59c…0001 a59c…0003
J0
inc32 inc32
IV
Ek
⊕
Plaintext
Ciphertext
⊕
MultH
Ek Ek
⊕
Ciphertext
Plaintext
MultH
⊕
MultH
[len(A)]64 || [len(C)]64
MultH
⊕
Associated Data
⊕
Auth Tag
=
Slide 66
Slide 66 text
GCM Mode Encryption
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf
a59c…0002
a59c…0001 a59c…0003
J0
inc32 inc32
IV
Ek
⊕
Plaintext
Ciphertext
⊕
MultH
Ek Ek
⊕
Ciphertext
Plaintext
MultH
⊕
MultH
[len(A)]64 || [len(C)]64
MultH
⊕
Associated Data
⊕
Auth Tag
=
CTR Mode
Slide 67
Slide 67 text
GCM Mode Encryption
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf
a59c…0002
a59c…0001 a59c…0003
J0
inc32 inc32
IV
Ek
⊕
Plaintext
Ciphertext
⊕
MultH
Ek Ek
⊕
Ciphertext
Plaintext
MultH
⊕
MultH
[len(A)]64 || [len(C)]64
MultH
⊕
Associated Data
⊕
Auth Tag
=
Authentication
Slide 68
Slide 68 text
GCM Mode Encryption
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf
a59c…0002
a59c…0001 a59c…0003
J0
inc32 inc32
IV
Ek
⊕
Plaintext
Ciphertext
⊕
MultH
Ek Ek
⊕
Ciphertext
Plaintext
MultH
⊕
MultH
[len(A)]64 || [len(C)]64
MultH
⊕
Associated Data
⊕
Auth Tag
=
• len 是 bitlen
• [10]64 → 000000000000000a
不是 16 bytes 的倍數會在後⾯補 \x00
Slide 69
Slide 69 text
GCM Mode Encryption
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf
如果 len(IV) ≠ 96 IV [len(IV)]64
0
0
⊕
MultH
MultH MultH
⊕
IV
J0
如果 len(IV) = 96 IV 00000001
J0
=
Slide 70
Slide 70 text
GCM Mode Encryption
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf
a59c…0002
a59c…0001 a59c…0003
J0
inc32 inc32
IV
Ek
⊕
Plaintext
Ciphertext
⊕
MultH
Ek Ek
⊕
Ciphertext
Plaintext
MultH
⊕
MultH
[len(A)]64 || [len(C)]64
MultH
⊕
Associated Data
⊕
Auth Tag
=
Ek
0
H
H = Ek(0)