16.3 GCM performance
There is an old saying among cryptographers that the real challenge is not to design a secure algorithm, but one that is secure and fast. While this is typically said somewhat jokingly, there is a lot to this saying. Take, for instance, ciphers. It is well known that the composition of functions illustrated in Figure 16.2 can be used to define complicated functions using simpler ones.
Recall that if f : X → Y and g : Y → Z are functions, then the composition of g with f, denoted by g ∘f, is a function mapping elements of X to elements of Z. Moreover, the composition can be extended to any number of functions f1,f2,…,fn (resulting in the composition fn ∘…∘f2 ∘f1) given that the domain of ft equals the co-domain of ft−1.
Figure 16.2: Composition g ∘ f of functions g and f
In cryptography, ciphers combining a sequence of simpler transformations are called product ciphers. So, based on the composition of functions, it is trivial to design a high-security cipher by combining a large number, say in the thousands, of simple substitutions and transpositions.
It is, however, far from trivial to design a cipher that is both secure and fast to compute. When David McGrew and John Viega, the authors of GCM, submitted their proposal to NIST, they wrote the following:
There is a compelling need for a mode of operation that can efficiently provide authenticated encryption at speeds of 10 gigabits per second and above in hardware, perform well in software, and is free of intellectual property restrictions. The mode must admit pipelined and parallelized implementations and have minimal computational latency in order to be useful at high data rates. Counter mode has emerged as the best method for high-speed encryption, because it meets those requirements. However, there is no suitable standard message authentication algorithm. This fact leaves us in the situation in which we can encrypt at high speed, but we cannot provide message authentication that can keep up with our cipher.
Let’s conduct a small experiment to verify on our own whether GCM’s efficiency lives up to the claims of its authors. We can use OpenSSL to compare GCM’s performance to that of other authenticated encryption schemes.
Conveniently, OpenSSL implements all authenticated encryption schemes we have discussed so far – CCM and GCM – as well as the ChaCha20-Poly1305 authenticated encryption we will discuss in detail in Chapter 18, TLS Cipher Suites.
In addition, OpenSSL implements a mode of operation called Offset Codebook Mode (OCB), which provides authenticated encryption through a combination of a block cipher with a message authentication code in parallel.