GCM spec with some highlighted sections

The NIST spec for Galois Counter Mode is 
http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf 

The high-level logic for the decrypt step is in section 7.2.  Step 8 of 
this algorithm is returning plaintext iff the tag verifies.
It says, "8. If T = T′, then return P; else return FAIL"

The problematic text immediately follows the algorithm description (see 
page 17).  It says, 
"Equivalent sets of steps that produce the correct output are permitted. 
In particular, the verification of the tag may precede the computation of 
the plaintext". 

The intent in the spec is clearly to permit the tag verification before 
ANY plaintext is computed, never mind returned to the caller,
so it takes some mental gymnastics to twist that into allowing plaintext 
to be computed and returned, pending a successful tag verification.
And as Hal pointed out on today's call, it opens the door for the very 
same "oracle" attack that we were trying to prevent by using GCM.

Bruce A Rich
brich at-sign us dot ibm dot com

Received on Tuesday, 13 December 2011 16:22:29 UTC