Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [ghash]

The hash function used for implementing the Authentication Mechanism in GCM

In the GCM, the authentication tag is constructed by feeding blocks of data into the GHASH function and encrypting the result. IV reuse can be catastrophic and can cause forgery.

7 questions
6
votes
2 answers

GMAC vs HMAC in message forgery and bandwidth

Saarinen in his work GCM, GHASH and Weak Keys says that: The GHASH algorithm belongs to a widely studied class of Wegman-Carter polynomial universal hashes. The security bounds known (this and this) for these algorithms indicate that a $n$-bit…
kelalaka
  • 49,797
  • 12
  • 123
  • 211
5
votes
1 answer

Why doesn't the GCM spec use a more efficient multiplication algorithm?

NIST SP 800-38D § 6.3 Multiplication Operation on Blocks describes a multiplication algorithm that, in my testing, appears to be a good amount slower then algorithm 2.40 (arbitrary reduction polynomials) in the Guide to Elliptic Curve…
neubert
  • 2,969
  • 1
  • 29
  • 58
5
votes
1 answer

GCM: Math behind update of AAD after ciphertext has been processed

In the Bouncy Castle libraries, the GCM cipher implementation has an interesting property that does not seem described in the GCM papers (neither the NIST or the original paper): Some AAD was sent after the cipher started. We determine the…
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
3
votes
1 answer

Key Committing AES-GCM

There is a handful of attacks against AEAD, and GCM in particular, which demonstrates that it is feasible for an attacker $\mathcal{A}$ to obtain a ciphertext $C$ which encrypts to multiple key/message pairs $(k_i, M_i)$. This is commonly referred…
Seminal Worker
  • 33
  • 3
2
votes
1 answer

GHASH with a finite field multiplication algorithm in reverse order

NIST SP 800-38D § 6.4 GHASH Function describes the GHASH algorithm thusly: Prerequisites: block $H$, the hash subkey. Input: bit string $X$ such that len($X$) = $128m$ for some positive integer m. Output: block $GHASH_H$ ($X$). Steps: Let $X_1$,…
neubert
  • 2,969
  • 1
  • 29
  • 58
0
votes
1 answer

AES GCM representation of lev(IV) in IV padding to compute ICB

I have a question regarding understanding representation of length in AES-GCM while doing padding for the IV to calculate ICB/J0. In the aes GCM test vectors testcase5 I see the IV is of length 8 bytes as follows: IV cafebabefacedbad But…
sg777
  • 485
  • 1
  • 4
  • 13
-3
votes
1 answer

Which is more secure? $\operatorname{AES-ECB}(key,\operatorname{SHA1}(data+key))$ vs $\operatorname{HMAC-SHA1}(key, data)$

$\operatorname{AES-ECB}(key,\operatorname{SHA1}(data+key))$ vs $\operatorname{HMAC-SHA1}(key, data)$ Which is more secure? Which is faster? There is a similar comparison here; HMAC-SHA1(key, data) vs sha-1(data+key)
Nayan Karan
  • 27
  • 6