A New Interpretation for the GHASH Authenticator of AES-GCM

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review


AES-GCM authenticated encryption scheme has a significant role in modern secure communications. It combines AES CTR encryption with authentication that is based on a polynomial evaluation hash function (GHASH) computed in F2128[x]/PGCM(x), where PGCM(x) = x128+ x7+ x2+ x+ 1. AES-GCM operates on 128-bit strings: it views them as AES inputs/outputs for the encryption, and as elements in F2128 for the authentication. Unfortunately, the order of the bits, by which GHASH parses 128-bit strings as field elements is inconsistent with the way that AES uses 128-bit ciphertext/plaintext strings as arrays of 16 bytes. This leads to one of the following conclusions: a) GHASH does not operate directly on the ciphertext blocks. In this case, AES ciphertext blocks need to be bit-reflected before they are input to the GHASH computations; b) the field representation is not F2128[x]/PGCM(x). In this case, field multiplications are not directly expressed by polynomial arithmetic modulo PGCM(x). The specification AES-GCM bypasses this discrepancy by describing the GHASH field operations as bit-level algorithms, rather than in terms of polynomial arithmetic, as expected. We resolve the inconsistency by introducing a description of GHASH that uses polynomial arithmetic in G=F2128[x]/(x128+x127+x126+x121+1). This formulation helps parsing 128-bit strings as AES inputs/outputs and as field elements, in a consistent manner. It also leads naturally to several recent AES-GCM software optimizations which are now already in use by leading open source cryptographic libraries.

Original languageEnglish
Title of host publicationCyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings
EditorsShlomi Dolev, Ehud Gudes, Pascal Paillier
PublisherSpringer Science and Business Media Deutschland GmbH
Number of pages15
ISBN (Print)9783031346705
StatePublished - 2023
Event7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023 - Be'er Sheva, Israel
Duration: 29 Jun 202330 Jun 2023

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13914 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023
CityBe'er Sheva

Bibliographical note

Publisher Copyright:
© 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.


  • finite field arithmetic
  • software optimization

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science


Dive into the research topics of 'A New Interpretation for the GHASH Authenticator of AES-GCM'. Together they form a unique fingerprint.

Cite this