Alex Hornung ahornung at
Thu Jul 19 01:14:07 PDT 2012


On 17/07/12 16:29, Chris Rogers wrote:
> My understanding of GCM and GMAC was that GMAC was an authentication
> only variant of GCM, and thus they were mutually exclusive.  But, it
> looks like the rest of the function will never execute if GMAC isn't
> chosen as the mode of encryption.  Does this mean that GCM uses GMAC as
> part of its standard encryption process, or is the encryption for GCM
> only implemented somewhere else?  Any help on this matter would be
> greatly appreciated.

GMAC is just a special case of GCM where the plaintext has zero length,
and the whole input is in the AAD.

GCM encryption is implemented via transforms (xforms) in our opencrypto.
it is effectively a special case of AES CTR, as the other bits that are
distinct from CTR (the galois field arithmetic that ends up providing
authentication) are implemented in our GMAC implementation.

So yes, in other words our GCM uses AES CTR combined with GMAC
underneath, resulting, effectively, in GCM.


More information about the Kernel mailing list