IoT Security Part 6: Why should I use Galois Counter Mode instead of CCM?  

 

The most common authenticated encryption mode for IoT wireless today is CCM, Counter Mode encryption with CBC-MAC authentication. However, the latest and greatest internet security suites support the Galois Counter Mode (GCM) for authenticated encryption.

 

Instead of diving into the complex finite field mathematics required to implement GCM, lets discuss the motivation for its development. First, consider that security experts will continue to scrutinize existing security methods, find weaknesses, and develop more secure methods. One of these areas is the development of block cipher modes.

 

After the development of the CCM authenticated mode, there was a big effort to develop a new authenticated mode to follow it. The main criticism of CCM was not security weakness. The main criticism was that CBC-MAC was very computationally intensive and performance was limited because chaining was hard to implement using a pipelined digital architecture.

 

NIST calls GCM a “High-Throughput Authenticated Encryption Mode”. Is it really? The argument appears to be that GCM computation is easily parallelized.

 

Suppose we wanted hardware that could compute a Galois MAC over four 16-byte blocks. It is theoretically possible to use four parallel AES cipher blocks and four parallel Galois field multiplication units. This would provide very high performance. However, it is not a realistic scenario for a small embedded processor.

 

In reality, if you only have one AES cipher block hardware at your disposal and have to implement Galois Field multiplication in software, GCM is much slower than CCM. However, if you have hardware support for modular field multiplication GCM is about the same speed as CCM.

 

It seems ironic that special hardware is now required to support a block cipher mode that was supposed to provide higher throughput.

 

This brings us to the situation that we have today. IoT developers would like to use the same state-of-the-art security methods used on PC class internet devices. However, implementing GCM on a typical 32-bit MCU will have poor performance.

 

The Cypto Module on the Silicon Labs EFR32 Wireless Gecko devices and the EFM32 Pearl and Jade Geckos has a hardware modular multiplier that supports the GCM polynomial. The crypto module has a programmable engine that greatly accelerated the Galois Counter Mode.

 

There is some synergy between the Galois Counter Mode and the Elliptical Curve Cryptography (ECC) computations. Both GCM and ECC require modular multiplication over a finite Galois field. The only difference is the polynomials.

 

GCM uses the modulus:

x128 + x7 +x2 +x + 1

 

Whereas the ECC prime 256 curve uses the modulus:

x256 + x224 + x192 + x96 + 1

 

The next blog will discuss ECC and its uses for IoT devices.

 

 

 

  • Blog Posts
  • Internet of Things