## Abstract

AES-GCM authenticated encryption scheme has a significant role in modern secure communications. It combines AES CTR encryption with authentication that is based on a polynomial evaluation hash function (GHASH) computed in F2128[x]/PGCM(x), where P_{GCM}(x) = x^{128}+ x^{7}+ x^{2}+ x+ 1. AES-GCM operates on 128-bit strings: it views them as AES inputs/outputs for the encryption, and as elements in F2128 for the authentication. Unfortunately, the order of the bits, by which GHASH parses 128-bit strings as field elements is inconsistent with the way that AES uses 128-bit ciphertext/plaintext strings as arrays of 16 bytes. This leads to one of the following conclusions: a) GHASH does not operate directly on the ciphertext blocks. In this case, AES ciphertext blocks need to be bit-reflected before they are input to the GHASH computations; b) the field representation is not F2128[x]/PGCM(x). In this case, field multiplications are not directly expressed by polynomial arithmetic modulo P_{GCM}(x). The specification AES-GCM bypasses this discrepancy by describing the GHASH field operations as bit-level algorithms, rather than in terms of polynomial arithmetic, as expected. We resolve the inconsistency by introducing a description of GHASH that uses polynomial arithmetic in G=F2128[x]/(x128+x127+x126+x121+1). This formulation helps parsing 128-bit strings as AES inputs/outputs and as field elements, in a consistent manner. It also leads naturally to several recent AES-GCM software optimizations which are now already in use by leading open source cryptographic libraries.

Original language | English |
---|---|

Title of host publication | Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings |

Editors | Shlomi Dolev, Ehud Gudes, Pascal Paillier |

Publisher | Springer Science and Business Media Deutschland GmbH |

Pages | 424-438 |

Number of pages | 15 |

ISBN (Print) | 9783031346705 |

DOIs | |

State | Published - 2023 |

Event | 7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023 - Be'er Sheva, Israel Duration: 29 Jun 2023 → 30 Jun 2023 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 13914 LNCS |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### Conference

Conference | 7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023 |
---|---|

Country/Territory | Israel |

City | Be'er Sheva |

Period | 29/06/23 → 30/06/23 |

### Bibliographical note

Publisher Copyright:© 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.

## Keywords

- AES-GCM
- finite field arithmetic
- software optimization

## ASJC Scopus subject areas

- Theoretical Computer Science
- General Computer Science