0

I'm a beginner trying to understand some concepts in AES-GCM encryption, and I have a couple of questions that I'm struggling with:

  1. Why do we need associated data (AAD) in AES-GCM?
    I understand that associated data is public and not encrypted, but I don't quite get why it is needed. What role does it play in the encryption process?

  2. Why does the tag calculation in AES-GCM involve an XOR with the first output of AES (IV || 0)? From what I've read, the tag calculation performs an XOR operation at the last step with the first output of AES (using the IV). Why is this step necessary? Does it make the tag stronger or more secure in some way?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
KAI
  • 1
  • 1

1 Answers1

1
  1. Why do we need associated data (AAD) in AES-GCM? I understand that associated data is public and not encrypted, but I don't quite get why it is needed. What role does it play in the encryption process?

Associated data is not needed, but is useful in many applications. A secure AEAD scheme guarantees the confidentiality of the message and the integrity of the ciphertext and the AD. Essentially, AD is anything has to be "authentic," but is not secret. The practical applications typically use AD to achieve some sort of "context-binding". Other examples are:

  • The double ratchet algorithm in Signal uses the AD to send ratchet public keys.
  • Authenticated key exchange (AKE) protocols such as one derived from SIGMA may use the AD to bind the identities of the protocol participants to the established session key.
  1. Why does the tag calculation in AES-GCM involve an XOR with the first output of AES (IV || 0)? From what I've read, the tag calculation performs an XOR operation at the last step with the first output of AES (using the IV). Why is this step necessary? Does it make the tag stronger or more secure in some way?

This is a good question. First, note that the value used in the last XOR is not AES(IV || 0), but rather AES(IV || 0..01). To understand why this xor is done, it's useful to recall at a high-level how authentication works. GMAC as used in GCM is built upon a general principle for building MACs from "weak" _keyed_hash functions (this is what GHASH is). These functions are weak because they only provide “blind” collision resistance (The adversary must output a colliding pair without seeing the function's outputs). This is enough to build a good and performant MAC; the insight is we need to hide the hash output. In particular, knowledge of a collision is critical.

Now, there are many approaches to "hiding" outputs. The obvious one is to pass the hash function output to some other function, like a block cipher. Namely, $tag = E(k, H(k,msg))$. This works well, but there is a downside. The security of this function MAC degrades quickly, with the number of authenticated messages. Intuitively, although we are the actual hash outputs, we don't hide collisions. The block cipher will always output the same output for the same $msg$. Consequently, we need a much lower collision probability, which requires a less efficient hash function.

We can achieve better performance by using a stronger method of hiding the hash output. This kind of construction originally used a One-time pad to hide the hash output. However, it is common to derive the pad from a keyed function like AES for practical usage. Consequently, we can tolerate slightly higher collision probabilities in the hash function.

Note that this approach also has downsides. Famously, nonce reuses in current AEAD modes are catastrophic (see GCM).

Marc Ilunga
  • 4,042
  • 1
  • 13
  • 24