3

All block cipher modes of operation that I understand are generic schemes. They are not restricted by key size or block size. So why is GCM restricted to 128-bit block size?

otus
  • 32,132
  • 5
  • 70
  • 165
Melab
  • 3,655
  • 2
  • 22
  • 44
  • For “what is it”, what reference materials (e.g. Wikipedia, the NIST specification) have you read, and what part don't you understand? – Gilles 'SO- stop being evil' Sep 30 '15 at 21:24
  • 2
    The way it's defined to be GCM restricts it to 128 bit. In detail it relies on a polynomial over a field of size 128 bit and you if you change this polynomial you can't call it "the GCM" anylonger. You can build something GCM-like for any block size. – SEJPM Sep 30 '15 at 21:27
  • @Gilles I've read bits and pieces about it. I know it's something like CCM. – Melab Oct 01 '15 at 00:00
  • @SEJPM Well why can't it be generalized? – Melab Oct 01 '15 at 00:01
  • @Melab It can be generalized, but there are many equally valid generalizations and the designers didn't bother to pick particular ones. – CodesInChaos Oct 01 '15 at 11:38
  • @SEJPM You can easily use a 128 bit polynomial together with a 64 bit block cipher. You just need to use 2 blocks per message to mask the MAC and 2 blocks per-key to compute the MAC key. In principle you could even use a stream cipher instead of a block cipher, since GCM first uses CTR mode to build a stream cipher and then adds GHash on top of that stream cipher. – CodesInChaos Oct 01 '15 at 11:41
  • @CodesInChaos, I'm not too sure if you actually can say that you can use GCM with any stream cipher. – SEJPM Oct 01 '15 at 12:04

1 Answers1

2

The field polynomial used for GHASH limits most definitions to 128-bit block size. That does not mean you could not define it for other sizes – the proposal defined it for 64-bit as well (pdf, see Appendix A) even if NIST did not standardize that.

However, defining it for arbitrary block sizes would be more difficult. You would need to define a deterministic method for constructing the polynomial and the changes that entails (see the document above). Since 64-bit block ciphers are usually considered too small these days anyway and no larger block sizes are in common use, there is no need to do that.

otus
  • 32,132
  • 5
  • 70
  • 165