Why doesn't the GCM spec use a more efficient multiplication algorithm?












5














NIST SP 800-38D § 6.3 Multiplication Operation on Blocks describes a multiplication algorithm that, in my testing, appears to be a good amount slower then algorithm 2.40 (arbitrary reduction polynomials) in the Guide to Elliptic Curve Cryptography.



My question is...why? Does the algorithm described in NIST SP 800-38D provide better protection against timing attacks?






encryption aes finite-field gcm ghash







share|improve this question





























    5














    NIST SP 800-38D § 6.3 Multiplication Operation on Blocks describes a multiplication algorithm that, in my testing, appears to be a good amount slower then algorithm 2.40 (arbitrary reduction polynomials) in the Guide to Elliptic Curve Cryptography.



    My question is...why? Does the algorithm described in NIST SP 800-38D provide better protection against timing attacks?






    encryption aes finite-field gcm ghash







    share|improve this question



























      5












      5








      5







      NIST SP 800-38D § 6.3 Multiplication Operation on Blocks describes a multiplication algorithm that, in my testing, appears to be a good amount slower then algorithm 2.40 (arbitrary reduction polynomials) in the Guide to Elliptic Curve Cryptography.



      My question is...why? Does the algorithm described in NIST SP 800-38D provide better protection against timing attacks?






      encryption aes finite-field gcm ghash







      share|improve this question















      NIST SP 800-38D § 6.3 Multiplication Operation on Blocks describes a multiplication algorithm that, in my testing, appears to be a good amount slower then algorithm 2.40 (arbitrary reduction polynomials) in the Guide to Elliptic Curve Cryptography.



      My question is...why? Does the algorithm described in NIST SP 800-38D provide better protection against timing attacks?






      encryption aes finite-field gcm ghash




      encryption aes finite-field gcm ghash






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Dec 19 at 18:27

























      asked Dec 19 at 4:25









      neubert

      1,2241529




      1,2241529






















          2 Answers
          2






          active

          oldest

          votes


















          9















          My question is... why?




          There are a number of different algorithms that perform $GF(2^{128})$ multiplication, all with different trade-offs (speed on specific platforms, program size, memory usage, complexity, side channel resistance, etc). NIST doesn't care which one you use, as long as you get the expected result at the end.



          As for why NIST decided to put that specific algorithm as an example in the spec, well, I didn't write the spec, so I can't be certain. My guess is that they decided on the goals of simplicity and clarity, and that algorithm was the best they could find that would meet those goals (whether it is actually simpler or clearer than algorithm 2.40 is, of course, debatable...)






          share|improve this answer





























            -2














            GCM uses $GF(2^{128})$, sometimes called a binary finite field, whose elements are polynomials with coefficients in $GF(2)$ (i.e. zero/one bits under the xor operation).



            Binary fields are awkward to implement in software, but are easier to implement (and efficient) in hardware. This is probably the reason why NIST picked it up.



            According to this NIST website:




            GCM was designed to faciliate high-throughput hardware implementations







            share|improve this answer





















              Your Answer





              StackExchange.ifUsing("editor", function () {
              return StackExchange.using("mathjaxEditing", function () {
              StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
              StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
              });
              });
              }, "mathjax-editing");

              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "281"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65979%2fwhy-doesnt-the-gcm-spec-use-a-more-efficient-multiplication-algorithm%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              9















              My question is... why?




              There are a number of different algorithms that perform $GF(2^{128})$ multiplication, all with different trade-offs (speed on specific platforms, program size, memory usage, complexity, side channel resistance, etc). NIST doesn't care which one you use, as long as you get the expected result at the end.



              As for why NIST decided to put that specific algorithm as an example in the spec, well, I didn't write the spec, so I can't be certain. My guess is that they decided on the goals of simplicity and clarity, and that algorithm was the best they could find that would meet those goals (whether it is actually simpler or clearer than algorithm 2.40 is, of course, debatable...)






              share|improve this answer


























                9















                My question is... why?




                There are a number of different algorithms that perform $GF(2^{128})$ multiplication, all with different trade-offs (speed on specific platforms, program size, memory usage, complexity, side channel resistance, etc). NIST doesn't care which one you use, as long as you get the expected result at the end.



                As for why NIST decided to put that specific algorithm as an example in the spec, well, I didn't write the spec, so I can't be certain. My guess is that they decided on the goals of simplicity and clarity, and that algorithm was the best they could find that would meet those goals (whether it is actually simpler or clearer than algorithm 2.40 is, of course, debatable...)






                share|improve this answer
























                  9












                  9








                  9







                  My question is... why?




                  There are a number of different algorithms that perform $GF(2^{128})$ multiplication, all with different trade-offs (speed on specific platforms, program size, memory usage, complexity, side channel resistance, etc). NIST doesn't care which one you use, as long as you get the expected result at the end.



                  As for why NIST decided to put that specific algorithm as an example in the spec, well, I didn't write the spec, so I can't be certain. My guess is that they decided on the goals of simplicity and clarity, and that algorithm was the best they could find that would meet those goals (whether it is actually simpler or clearer than algorithm 2.40 is, of course, debatable...)






                  share|improve this answer













                  My question is... why?




                  There are a number of different algorithms that perform $GF(2^{128})$ multiplication, all with different trade-offs (speed on specific platforms, program size, memory usage, complexity, side channel resistance, etc). NIST doesn't care which one you use, as long as you get the expected result at the end.



                  As for why NIST decided to put that specific algorithm as an example in the spec, well, I didn't write the spec, so I can't be certain. My guess is that they decided on the goals of simplicity and clarity, and that algorithm was the best they could find that would meet those goals (whether it is actually simpler or clearer than algorithm 2.40 is, of course, debatable...)







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Dec 19 at 4:59









                  poncho

                  90.2k2139233




                  90.2k2139233























                      -2














                      GCM uses $GF(2^{128})$, sometimes called a binary finite field, whose elements are polynomials with coefficients in $GF(2)$ (i.e. zero/one bits under the xor operation).



                      Binary fields are awkward to implement in software, but are easier to implement (and efficient) in hardware. This is probably the reason why NIST picked it up.



                      According to this NIST website:




                      GCM was designed to faciliate high-throughput hardware implementations







                      share|improve this answer


























                        -2














                        GCM uses $GF(2^{128})$, sometimes called a binary finite field, whose elements are polynomials with coefficients in $GF(2)$ (i.e. zero/one bits under the xor operation).



                        Binary fields are awkward to implement in software, but are easier to implement (and efficient) in hardware. This is probably the reason why NIST picked it up.



                        According to this NIST website:




                        GCM was designed to faciliate high-throughput hardware implementations







                        share|improve this answer
























                          -2












                          -2








                          -2






                          GCM uses $GF(2^{128})$, sometimes called a binary finite field, whose elements are polynomials with coefficients in $GF(2)$ (i.e. zero/one bits under the xor operation).



                          Binary fields are awkward to implement in software, but are easier to implement (and efficient) in hardware. This is probably the reason why NIST picked it up.



                          According to this NIST website:




                          GCM was designed to faciliate high-throughput hardware implementations







                          share|improve this answer












                          GCM uses $GF(2^{128})$, sometimes called a binary finite field, whose elements are polynomials with coefficients in $GF(2)$ (i.e. zero/one bits under the xor operation).



                          Binary fields are awkward to implement in software, but are easier to implement (and efficient) in hardware. This is probably the reason why NIST picked it up.



                          According to this NIST website:




                          GCM was designed to faciliate high-throughput hardware implementations








                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Dec 19 at 14:12









                          Conrado

                          2,4101327




                          2,4101327






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Cryptography Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              Use MathJax to format equations. MathJax reference.


                              To learn more, see our tips on writing great answers.





                              Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


                              Please pay close attention to the following guidance:


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f65979%2fwhy-doesnt-the-gcm-spec-use-a-more-efficient-multiplication-algorithm%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              -

                              Popular posts from this blog

                              Сан-Квентин

                              Image
                              Сан-Квентин Местоположение Сан-Квентин, Калифорния Координаты 37°56′13″ с. ш. 122°29′20″ з. д. H G Я O L Текущий статус Действует Режим безопасности минимальный и максимальный Количество мест 3 302 Открытие Июнь 1852 Находится в ведомстве California Department of Corrections and Rehabilitation Начальник Mike Martel, начальник  Сан-Квентин на Викискладе Сан-Квентин (англ.  San Quentin ) — тюрьма, располагающаяся на 432 акрах (около 1,7 км²), на мысе Сан-Квентин, в округе Марин, штат Калифорния, США. Тюрьма штата Калифорния Сан-Квентин была открыта в июле 1852 года и является старейшей в штате. Она была построена заключёнными, которые проживали в течение строительства на тюремном судне Вабан. В Сан-Квентине отбывали наказание и мужчины, и женщины до 1934 года, когда построили женскую тюрьму в Техачапи и туда перевели всех заключённых женщин. В Сан-Квентине приводятся в исполнение смертные казни, для этого имеется газовая камера, но
                              Read more

                              Алькесар

                              Image
                              Муниципалитет Алькесар Alquézar Герб 42°10′16″ с. ш. 0°01′27″ в. д. H G Я O L Страна Испания   Испания Автономное сообщество Арагон Провинция Уэска Комарка Сомонтано-де-Барбастро Алькальд Хосе Марияно Альтемир Ласкорс (ИСРП) История и география Площадь 32,36 км² Высота НУМ 660 м Часовой пояс UTC+1, летом UTC+2 Население Население 313 человек ( 2010 ) Плотность 9,92 чел./км² Этнохороним alquezarano/-a Цифровые идентификаторы Телефонный код +34 974 Почтовые индексы 22112 Автомобильный код HU alquezar.org   (исп.) Показать/скрыть карты Алькесар Алькесар Алькесар  Аудио, фото и видео на Викискладе Алькесар (исп.  Alquézar ) — муниципалитет в Испании, входит в провинцию Уэска, в составе автономного сообщества Арагон. Муниципалитет находится в составе района (комарки) Сомонтано-де-Барбастро. Занимает площадь 32,36 км². Население — 321 челове
                              Read more

                              Josef Freinademetz

                              Image
                              San Ujöp (Giuseppe/Josef) Freinademetz Josef Freinademetz in abiti cinesi   Religioso e missionario   Nascita 15 aprile 1852 Morte 28 gennaio 1908 Venerato da Chiesa cattolica Beatificazione 1975 Canonizzazione 5 ottobre 2003 Ricorrenza 28 gennaio Manuale Ujöp Freinademetz noto anche come Giuseppe o Josef Freinademetz (Oies, 15 aprile 1852 – Taikia, 28 gennaio 1908) è stato un presbitero austriaco, membro della Società del Verbo Divino, fu missionario in Cina; è venerato come santo dalla Chiesa cattolica. .mw-parser-output .citazione-table{margin-bottom:.5em;font-size:95%}.mw-parser-output .citazione-table td{padding:0 1.2em 0 2.4em}.mw-parser-output .citazione-lang{vertical-align:top}.mw-parser-output .citazione-lang td{width:50%}.mw-parser-output .citazione-lang td:first-child{padding:0 0 0 2.4em}.mw-parser-output .citazione-lang td:nth-child(2){padding:0 1.2em} «Io amo la Cina e i cinesi; voglio morire in mezzo a loro, e tra loro
                              Read more