TY - GEN
T1 - A New Interpretation for the GHASH Authenticator of AES-GCM
AU - Gueron, Shay
N1 - Publisher Copyright: © 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.
PY - 2023
Y1 - 2023
N2 - AES-GCM authenticated encryption scheme has a significant role in modern secure communications. It combines AES CTR encryption with authentication that is based on a polynomial evaluation hash function (GHASH) computed in F2128[x]/PGCM(x), where PGCM(x) = x128+ x7+ x2+ x+ 1. AES-GCM operates on 128-bit strings: it views them as AES inputs/outputs for the encryption, and as elements in F2128 for the authentication. Unfortunately, the order of the bits, by which GHASH parses 128-bit strings as field elements is inconsistent with the way that AES uses 128-bit ciphertext/plaintext strings as arrays of 16 bytes. This leads to one of the following conclusions: a) GHASH does not operate directly on the ciphertext blocks. In this case, AES ciphertext blocks need to be bit-reflected before they are input to the GHASH computations; b) the field representation is not F2128[x]/PGCM(x). In this case, field multiplications are not directly expressed by polynomial arithmetic modulo PGCM(x). The specification AES-GCM bypasses this discrepancy by describing the GHASH field operations as bit-level algorithms, rather than in terms of polynomial arithmetic, as expected. We resolve the inconsistency by introducing a description of GHASH that uses polynomial arithmetic in G=F2128[x]/(x128+x127+x126+x121+1). This formulation helps parsing 128-bit strings as AES inputs/outputs and as field elements, in a consistent manner. It also leads naturally to several recent AES-GCM software optimizations which are now already in use by leading open source cryptographic libraries.
AB - AES-GCM authenticated encryption scheme has a significant role in modern secure communications. It combines AES CTR encryption with authentication that is based on a polynomial evaluation hash function (GHASH) computed in F2128[x]/PGCM(x), where PGCM(x) = x128+ x7+ x2+ x+ 1. AES-GCM operates on 128-bit strings: it views them as AES inputs/outputs for the encryption, and as elements in F2128 for the authentication. Unfortunately, the order of the bits, by which GHASH parses 128-bit strings as field elements is inconsistent with the way that AES uses 128-bit ciphertext/plaintext strings as arrays of 16 bytes. This leads to one of the following conclusions: a) GHASH does not operate directly on the ciphertext blocks. In this case, AES ciphertext blocks need to be bit-reflected before they are input to the GHASH computations; b) the field representation is not F2128[x]/PGCM(x). In this case, field multiplications are not directly expressed by polynomial arithmetic modulo PGCM(x). The specification AES-GCM bypasses this discrepancy by describing the GHASH field operations as bit-level algorithms, rather than in terms of polynomial arithmetic, as expected. We resolve the inconsistency by introducing a description of GHASH that uses polynomial arithmetic in G=F2128[x]/(x128+x127+x126+x121+1). This formulation helps parsing 128-bit strings as AES inputs/outputs and as field elements, in a consistent manner. It also leads naturally to several recent AES-GCM software optimizations which are now already in use by leading open source cryptographic libraries.
KW - AES-GCM
KW - finite field arithmetic
KW - software optimization
UR - http://www.scopus.com/inward/record.url?scp=85164953937&partnerID=8YFLogxK
U2 - https://doi.org/10.1007/978-3-031-34671-2_30
DO - https://doi.org/10.1007/978-3-031-34671-2_30
M3 - Conference contribution
SN - 9783031346705
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 424
EP - 438
BT - Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings
A2 - Dolev, Shlomi
A2 - Gudes, Ehud
A2 - Paillier, Pascal
PB - Springer Science and Business Media Deutschland GmbH
T2 - 7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023
Y2 - 29 June 2023 through 30 June 2023
ER -