summaryrefslogtreecommitdiffstats
path: root/doc/source/crypto/macs.rst
blob: 7b8a8214d21bdaeb97683d02ccf6f0a5ee3a5ddd (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

Message Authentication Codes
============================

GHASH / Galois/Counter Mode (GCM) / GMAC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The Galois/Counter Mode is a very well-known mode of operation for block ciphers which
was specified in [MV04]_. GMAC is a authentication-only variant of the algorithm.

While the original specification only considers block ciphers, GCM can also be specified
in terms of the Counter mode (CTR) of the block cipher. The counter mode transforms a
block cipher into a stream cipher. This allows it to replace the block cipher by any stream
cipher while preserving all security guarantees; thereforce fastd allows to use GMAC with
any supported stream cipher.

One particular issue with GCM/GMAC is that it is hard to implement in software.
Usually it is implemented using lookup table, which might exhibit cache timing
side channels. This issue doesn't affect modern x86 CPUs providing the PCLMUL
instruction, as PCLMUL allows performing carry-less multiplications without
a lookup table.

UHASH / UMAC
~~~~~~~~~~~~

The `UMAC <http://en.wikipedia.org/wiki/UMAC>`_ message authentication code
defined in [RFC4418]_ is a strongly universal hash function, which
is formed by defining a `universal hash function <http://en.wikipedia.org/wiki/Universal_hashing>`_
UHASH and XORing it with a pad generated by a block cipher like AES.

In fastd, the pad can be generated by any supported stream cipher, and the
key derivation function specified in the RFC has been replaced by HKDF.

The UHASH function is optimized for efficient implementation in software on
32bit CPUs. Therefore UMAC is much more performant than GMAC, especially
on embedded systems, and doesn't exhibit any timing side channels.

Bibliography
~~~~~~~~~~~~

.. [MV04]
   D. McGrew and J. Viega, "The Galois/counter mode of operation (GCM)", Submission
   to NIST Modes of Operation Process, 2004.

.. [RFC4418]
   T. Krovetz, "UMAC: Message Authentication Code using Universal Hashing",
   RFC4418 (Informational), Internet Engineering Task Force,
   2006. [Online] http://www.ietf.org/rfc/rfc4418.txt
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-19 08:32:28 +0200