To augment the confidentiality property provided by block ciphers with authentication, the Galois Counter Mode (GCM) has been standardized by the National Institute of Standards and Technology. The GCM is used as an add-on to 128-bit block ciphers, such as the Advanced Encryption Standard (AES), SMS4, or Camellia, to verify the integrity of data. Prior works on the error detection of the GCM either use linear codes to protect the GCM architectures or are based on AES–GCM architectures, confining the mechanisms to the AES block cipher. Although such structures are efficient, they are not only confined to specific architectures of the GCM but might also not fully take advantage of the parallel architectures of the GCM. Moreover, linear codes have been shown to be potentially ineffective with respect to biased faults. In this paper, we propose algorithm-oblivious constructions through recomputing with swapped ciphertext and additional authenticated blocks, which can be applied to the GCM architectures using different finite field multipliers in $GF(2^{128})$ . Such obliviousness for the proposed constructions used in the GCM gives freedom to the designers. We present the results of error simulations and application-specific integrated circuit implementations to demonstrate the utility of the presented schemes. Based on the overhead/degradation tolerance for implementation/performance metrics, one can fine-tune the proposed method to achieve more reliable architectures for the GCM.
Read full abstract