Join Log in
Score:0
user997112 avatar Crypto

Implementing AES GCM but not getting correct output from cipher block

al flag
user997112

I'm implementing 128-bit AES-GCM (but only the encryption/AES-CTR aspect).

When I set the Secret Key, Plaintext and IV to Test Case 2, page 27 of the GCM spec (see below) I get the wrong value for the output of the cipher block (before we XOR).

https://csrc.nist.rip/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf

Inputs:

K       00000000000000000000000000000000
P       00000000000000000000000000000000
IV      000000000000000000000000
Y1      00000000000000000000000000000002

I should get E(K,Y1) = 0388dace60b6a392f328c2b971b2fe78, instead I get 26d50f485a30408d5af47a5736292450

This is my pseudocode:

// Expand iv to 16 bytes
iv[15] = 1     // 'increment'

// Skip cipher block for Y0

for each plaintext block:
    Y1 = increment(iv)    
    aes_key_expansion = CreateKeyExpansion(Y1)        
    E(K,Y1) = AES_128_Cipher(K, aes_key_expansion)

The logic within CreateKeyExpansion() and AES_128_Cipher() works correctly, as i've tested them with ECB.

Can anyone help where I am going wrong?

The 11 (128 bit AES) key expansion is:

0  00000000000000000000000000000002
1  62637763626377636263776362637761
2  9b9698c9f9f5efaa9b9698c9f9f5efa8
3  79495a5080bcb5fa1b2a2d33e2dfc29b
4  ef6c4ec86fd0fb3274fad6019625149a
5  c096f658af460d6adbbcdb6b4d99cff1
6  0e1c57bba15a5ad17ae681ba377f4e4b
7  9c33e4213d69bef0478f3f4a70f07101
8  90909870adf92680ea7619ca9a8668cb
9  cfd587c8622ca148885ab88212dcd049
10 7fa5bc011d891d4995d3a5cb870f7582
63
1 + 3
aes
poncho avatar
my flag
poncho
For this first block, Y1 should be { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2 } - is it?
1
Reply
user997112 avatar
al flag
user997112
@poncho Yeah it is,. The first 'increment' is from setting iv[15] = 1 and the '2' comes from the call to `Y1 = increment(iv)`. Just to confirm, I have checked this in the debugger.
0
Reply
user997112 avatar
al flag
user997112
@poncho I've also added the output of the key expansion, if that helps
0
Reply
Score:2
poncho avatar Crypto
my flag
poncho 
    aes_key_expansion = CreateKeyExpansion(Y1)        
    E(K,Y1) = AES_128_Cipher(K, aes_key_expansion)

I believe this is problem; you appear to be encrypting k using Y1 as an AES key. Instead, what you should do is expand the AES key Y, and then encrypt Y1 with that expanded key.

+ 3
user997112 avatar
al flag
user997112
I am creating the key expansion using Y1 and then encrypting K with this generated expansion. Do you mean Y1 and K need to swap roles? Btw, for ECB I do this: `key_expansion = CreateKeyExpansion(K)` and then `AES_128_Cipher(P, key_expansion)`
0
Reply
user997112 avatar
al flag
user997112
I've just swapped K and Y1 and I now get the correct answer. If you could confirm that's what you meant.
0
Reply
poncho avatar
my flag
poncho
@user997112: yes, that's what I meant. Remember: you use the same AES key for all the AES operations within a GCM operation
2
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.