GHASH
E663911
GHASH is a polynomial-based universal hash function used within Galois/Counter Mode (GCM) to provide efficient message authentication over binary fields.
Statements (47)
| Predicate | Object |
|---|---|
| instanceOf |
message authentication primitive
ⓘ
polynomial hash function ⓘ universal hash function ⓘ |
| associatedWith | AES-GCM NERFINISHED ⓘ |
| basedOn | polynomial evaluation over GF(2^128) ⓘ |
| category | cryptographic hash function (non-general-purpose) ⓘ |
| collisionProbabilityBound | proportional to number of blocks squared divided by 2^128 ⓘ |
| combinationOperation | XOR of polynomial multiplication results ⓘ |
| combines | associated data and ciphertext into a single hash value ⓘ |
| designGoal |
high performance in hardware
ⓘ
high performance in software with carry-less multiplication instructions ⓘ |
| domain | symmetric-key cryptography ⓘ |
| efficiencyReason | uses binary field arithmetic amenable to parallelization ⓘ |
| fieldNotation | GF(2^128) ⓘ |
| fieldType | binary finite field ⓘ |
| hashFamilyType | ε-almost-∆-universal hash family ⓘ |
| implementationOptimization | CLMUL (carry-less multiply) CPU instruction support ⓘ |
| inputBlockSize | 128-bit blocks ⓘ |
| inputType |
blocks of associated data
ⓘ
ciphertext blocks ⓘ |
| keyType | hash subkey H ⓘ |
| mathematicalStructure | polynomial ring over GF(2) modulo an irreducible polynomial of degree 128 ⓘ |
| notDesignedFor | collision-resistant general-purpose hashing ⓘ |
| operationOrder | processes input blocks sequentially ⓘ |
| operationType | bitwise XOR and carry-less multiplication ⓘ |
| outputType | fixed-length authentication tag value ⓘ |
| purpose |
authentication tag computation
ⓘ
integrity protection ⓘ message authentication ⓘ |
| relatedConcept |
Carter–Wegman MAC
NERFINISHED
ⓘ
Wegman–Carter universal hashing NERFINISHED ⓘ |
| requires | unique nonce per encryption in GCM for security guarantees ⓘ |
| resistanceProperty | resistance to forgery under standard GCM security assumptions ⓘ |
| securityProperty |
provable bounds on collision probability
ⓘ
universal hashing ⓘ |
| specifiedAs | core component of the GCM authentication mechanism ⓘ |
| standardizedIn | NIST SP 800-38D NERFINISHED ⓘ |
| standardRole | defines the hash subkey-based authentication in GCM ⓘ |
| subkeyDerivation | derived from block cipher key in GCM ⓘ |
| tagComputation | final hash value is combined with encrypted counter block to form tag ⓘ |
| tagLengthTypical | 128 bits ⓘ |
| usedBy |
IEEE 802.1AE MACsec with AES-GCM
NERFINISHED
ⓘ
IPsec with AES-GCM ⓘ TLS ciphersuites with AES-GCM ⓘ |
| usedFor | computing the GCM authentication tag ⓘ |
| usedIn |
GCM
NERFINISHED
ⓘ
Galois/Counter Mode NERFINISHED ⓘ |
Referenced by (2)
Full triples — surface form annotated when it differs from this entity's canonical label.
subject surface form:
Galois/Counter Mode