Is it possible to use DES or 3DES over Galois Counter Mode (GCM) to provide authenticated encryption?
I haven't seen any implementation yet.
Asked
Active
Viewed 878 times
2
-
1Definitely don't use plain DES. Keyspace is too small. – mikeazo Jun 18 '15 at 19:05
-
@mikeazo thank you for mentioning that but I would like to know if it is possible to use that block cipher over GCM :) – user1563721 Jun 18 '15 at 19:10
-
no. Or at least it would be non-standard. GCM needs to operate on $GF(2^{128})$ and plain (3)DES can at maximum operate at $GF(2^{64})$ as the blocksize is 64. One can of course chose a different polynomial, but this wouldn't be "GCM" any longer but rather CTR+custom GMAC. – SEJPM Jun 18 '15 at 19:16
-
@SOJPM I would rather think of a method to combine two blocks to create a block size of 128 bit instead, I've got an inkling of a feeling that using a block size and polynomial of 64 bit will break down the security to unacceptable levels. – Maarten Bodewes Jun 18 '15 at 19:56
-
@SOJPM Turned that into a question, I couldn't directly come up with the answer myself. There may be an answer in FPE, we'll see. – Maarten Bodewes Jun 18 '15 at 20:07
-
@MaartenBodewes You wouldn't use a 64 bit polynomial. You'd use 2 blocks as keys/mask for GHash. The biggest problem with 64 bit block ciphers is that the IV size becomes even smaller (32 bits for counter, 32 bit IV). Not sure how big the impact on protocol design is in practice, since a random 96 bit IV isn't a great idea either, so when a good protocols needs a random IV, it uses a KDF to derive a one time key from IV and master key. – CodesInChaos Jun 19 '15 at 14:27
2 Answers
3
According to Wikipedia,
GCM is defined for block ciphers with a block size of 128 bits.
So no, you can't use GCM with 3DES or DES, because of the 64-bit block size. You could use something similar to GCM, but it wouldn't be GCM.
e-sushi
- 17,891
- 12
- 83
- 229
lily wilson
- 457
- 3
- 15
-
1Alternatively, you could use the answer to this question to turn 3DES into a 128-bit block cipher. – Stephen Touset Jun 18 '15 at 22:41
-
yes, that is possible, but it wouldn't be GCM with 3DES. it would be GCM with some cipher based on 3DES. – lily wilson Jun 19 '15 at 01:55
1
GCM can be defined with 64-bit ciphers, see Appendix A of here: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf
NISTs's final GCM spec doesn't include this option. I suspect that this is because the security of GCM's MAC component depends on the difference between the number of blocks in the longest possible message and the number of elements in the polynomial field (see, e.g., here: https://eprint.iacr.org/2013/144).
Briefly, an untruncated GCM tag gives you an $m/|F|$ probability of forging (where m is the block-length of the longest possible message) and F is the field in which you evaluate the polynomial. Choosing $F = GF(2^{64})$ doesn't leave you much scope for messages before that forgery probability is quite large.
gtp
- 96
- 3