Packed AES-GCM Algorithm Suitable for AES/PCLMULQDQ Instructions

The level of interest in Galois Counter Mode (GCM) Authenticated Encryption rose significantly within the last few years. GCM is interesting because it is the only authenticated encryption standard that can be implemented in a fully pipelined or parallelized way and it is the most appropriate for encrypting packetized data. McGrew and Viega [CHECK END OF SENTENCE] described (but did not detail) how GHASH can be implemented with more than one multiplier operating in parallel. This paper details how that can be done and shows that, when N multipliers are used, and the multipliers use the approach of multiplying polynomials then applying a modular reduction, a single modular reduction can be used instead on N separate operations. This optimization can be used even when there is a single multiplier, which makes this implementation strategy have a broader appeal. Recently Intel has introduced new ISA instructions into the next generation CPU core, namely: AES family and PCLMULQDQ operating in XMM registers domain. In this paper, we discuss the example implementation of proposed GHASH modifications using above instructions.