Flexible and Efficient Message Authentication in Hardware and Software

We present the Galois Message Authentication Code (GMAC), a generic construction based on universal hashing using multiplication in the finite field GF (2). We also present GCM, a block cipher mode of operation that provides both encryption and message integrity in a single primitive, and is based on GMAC. The inherent parallelism in our constructs enable hardware implementations to achieve speeds greater than 10 gigabits per second, while requiring significantly less area than other constructions. Software implementations also have excellent performance characteristics. GMAC accepts nonces of arbitrary length using a keyed PRF based on the underlying hash function, GHASH. Additionally, we demonstrate how our MAC construction can be used incrementally and we provide a proof of security for our constructs to satisfying bounds under the PRP assumption. Both GMAC and GCM are, to the best of our knowledge, free of intellectual property restrictions.