AES256-GCM padding for unaligned blocks

Niels

1/6/24, 8:56 PM

So I found some test vectors for my SSE implementation of AES256-GCM and unfortunately it seems that after the last step of AAD it goes wrong. My guess is that this is because the AAD is actually misaligned; it's 8-byte instead of 16. I read this into a 128-bit vector and read the byte array into it as a byte array and initialize it to zero first. Is the document with test vectors just wrong, or am I padding incorrectly? With SHA256 you pad with 0x80 and then 0x00s, does AES256-GCM require the same?

Thanks for the help.

127

1 + 0

padding

aes-gcm

Score:1

Crypto

poncho

1/6/24, 9:23 PM

With SHA256 you pad with 0x80 and then 0x00s, does AES256-GCM require the same?

For GCM, the AAD is zero-padded to a multiple of 16 bytes (with no padding if it's already a multiple of 16 bytes in length). We include the bit length of the AAD (and the length of the plaintext) within the final 16 byte block (that comes immediately after the plaintext), hence there is no need to specify that length within the padding.

See figure 3 of the GCM Specification for a general overview.

+ 4

Niels

1/6/24, 9:33 PM

Thank you, just what I thought. I saw that in most of the diagrams so was unsure why I saw 1 or 2 that didn't do it like that. Guess I'll just go with the gcm-spec.pdf and wycheproof test vectors then.

Maarten Bodewes

1/7/24, 2:50 PM

Make sure that the padding is on the correct side, which in this case probably means that you should fill your buffer from the correct side. Also make sure that that buffer is properly zero'd before you write to it. I hope that you don't pad literally as it is in the theoretic text books by *adding bytes to the input message* because growing arrays is generally not great when it comes to performance *or* memory management.

Niels

1/8/24, 11:04 AM

@MaartenBodewes yes, I'm basically fetching blocks and if I reach the last unaligned block (if any) I'll just load a _m128 of 0 and load my last bytes into the address of the vector. It all seems to work now, I input a lot of test vectors and everything is correct :). Will just have to provide an optimized ghash and a fallback for when these instructions are disabled and decryption and then I'm done.

Maarten Bodewes

1/8/24, 2:12 PM

@poncho To make this more generic, I think the answer should reflect that this is required for GMAC specifically and that the AAD / plaintext / nonce itself isn't altered. Maybe the correct alignment in the buffer and the endianness of the calculation could also be indicated.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: AES256-GCM padding for unaligned blocks

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.