A New Interpretation for the GHASH Authenticator of AES-GCM

Shay Gueron

doi:10.1007/978-3-031-34671-2_30

A New Interpretation for the GHASH Authenticator of AES-GCM

Shay Gueron

School Of Business Administration

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

AES-GCM authenticated encryption scheme has a significant role in modern secure communications. It combines AES CTR encryption with authentication that is based on a polynomial evaluation hash function (GHASH) computed in F2128[x]/PGCM(x), where P_GCM(x) = x¹²⁸+ x⁷+ x²+ x+ 1. AES-GCM operates on 128-bit strings: it views them as AES inputs/outputs for the encryption, and as elements in F2128 for the authentication. Unfortunately, the order of the bits, by which GHASH parses 128-bit strings as field elements is inconsistent with the way that AES uses 128-bit ciphertext/plaintext strings as arrays of 16 bytes. This leads to one of the following conclusions: a) GHASH does not operate directly on the ciphertext blocks. In this case, AES ciphertext blocks need to be bit-reflected before they are input to the GHASH computations; b) the field representation is not F2128[x]/PGCM(x). In this case, field multiplications are not directly expressed by polynomial arithmetic modulo P_GCM(x). The specification AES-GCM bypasses this discrepancy by describing the GHASH field operations as bit-level algorithms, rather than in terms of polynomial arithmetic, as expected. We resolve the inconsistency by introducing a description of GHASH that uses polynomial arithmetic in G=F2128[x]/(x128+x127+x126+x121+1). This formulation helps parsing 128-bit strings as AES inputs/outputs and as field elements, in a consistent manner. It also leads naturally to several recent AES-GCM software optimizations which are now already in use by leading open source cryptographic libraries.

Original language	English
Title of host publication	Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings
Editors	Shlomi Dolev, Ehud Gudes, Pascal Paillier
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	424-438
Number of pages	15
ISBN (Print)	9783031346705
DOIs	https://doi.org/10.1007/978-3-031-34671-2_30
State	Published - 2023
Event	7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023 - Be'er Sheva, Israel Duration: 29 Jun 2023 → 30 Jun 2023

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	13914 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023
Country/Territory	Israel
City	Be'er Sheva
Period	29/06/23 → 30/06/23

Bibliographical note

Publisher Copyright:
© 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.

Keywords

AES-GCM
finite field arithmetic
software optimization

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-34671-2_30

Cite this

Gueron, S. (2023). A New Interpretation for the GHASH Authenticator of AES-GCM. In S. Dolev, E. Gudes, & P. Paillier (Eds.), Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings (pp. 424-438). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13914 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-34671-2_30

Gueron, Shay. / A New Interpretation for the GHASH Authenticator of AES-GCM. Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings. editor / Shlomi Dolev ; Ehud Gudes ; Pascal Paillier. Springer Science and Business Media Deutschland GmbH, 2023. pp. 424-438 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{024c934b1cc94767a9e25d9e5e0c715d,

title = "A New Interpretation for the GHASH Authenticator of AES-GCM",

abstract = "AES-GCM authenticated encryption scheme has a significant role in modern secure communications. It combines AES CTR encryption with authentication that is based on a polynomial evaluation hash function (GHASH) computed in F2128[x]/PGCM(x), where PGCM(x) = x128+ x7+ x2+ x+ 1. AES-GCM operates on 128-bit strings: it views them as AES inputs/outputs for the encryption, and as elements in F2128 for the authentication. Unfortunately, the order of the bits, by which GHASH parses 128-bit strings as field elements is inconsistent with the way that AES uses 128-bit ciphertext/plaintext strings as arrays of 16 bytes. This leads to one of the following conclusions: a) GHASH does not operate directly on the ciphertext blocks. In this case, AES ciphertext blocks need to be bit-reflected before they are input to the GHASH computations; b) the field representation is not F2128[x]/PGCM(x). In this case, field multiplications are not directly expressed by polynomial arithmetic modulo PGCM(x). The specification AES-GCM bypasses this discrepancy by describing the GHASH field operations as bit-level algorithms, rather than in terms of polynomial arithmetic, as expected. We resolve the inconsistency by introducing a description of GHASH that uses polynomial arithmetic in G=F2128[x]/(x128+x127+x126+x121+1). This formulation helps parsing 128-bit strings as AES inputs/outputs and as field elements, in a consistent manner. It also leads naturally to several recent AES-GCM software optimizations which are now already in use by leading open source cryptographic libraries.",

keywords = "AES-GCM, finite field arithmetic, software optimization",

author = "Shay Gueron",

note = "Publisher Copyright: {\textcopyright} 2023, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023 ; Conference date: 29-06-2023 Through 30-06-2023",

year = "2023",

doi = "10.1007/978-3-031-34671-2_30",

language = "English",

isbn = "9783031346705",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "424--438",

editor = "Shlomi Dolev and Ehud Gudes and Pascal Paillier",

booktitle = "Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings",

address = "Germany",

}

Gueron, S 2023, A New Interpretation for the GHASH Authenticator of AES-GCM. in S Dolev, E Gudes & P Paillier (eds), Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13914 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 424-438, 7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023, Be'er Sheva, Israel, 29/06/23. https://doi.org/10.1007/978-3-031-34671-2_30

A New Interpretation for the GHASH Authenticator of AES-GCM. / Gueron, Shay.
Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings. ed. / Shlomi Dolev; Ehud Gudes; Pascal Paillier. Springer Science and Business Media Deutschland GmbH, 2023. p. 424-438 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 13914 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A New Interpretation for the GHASH Authenticator of AES-GCM

AU - Gueron, Shay

PY - 2023

Y1 - 2023

N2 - AES-GCM authenticated encryption scheme has a significant role in modern secure communications. It combines AES CTR encryption with authentication that is based on a polynomial evaluation hash function (GHASH) computed in F2128[x]/PGCM(x), where PGCM(x) = x128+ x7+ x2+ x+ 1. AES-GCM operates on 128-bit strings: it views them as AES inputs/outputs for the encryption, and as elements in F2128 for the authentication. Unfortunately, the order of the bits, by which GHASH parses 128-bit strings as field elements is inconsistent with the way that AES uses 128-bit ciphertext/plaintext strings as arrays of 16 bytes. This leads to one of the following conclusions: a) GHASH does not operate directly on the ciphertext blocks. In this case, AES ciphertext blocks need to be bit-reflected before they are input to the GHASH computations; b) the field representation is not F2128[x]/PGCM(x). In this case, field multiplications are not directly expressed by polynomial arithmetic modulo PGCM(x). The specification AES-GCM bypasses this discrepancy by describing the GHASH field operations as bit-level algorithms, rather than in terms of polynomial arithmetic, as expected. We resolve the inconsistency by introducing a description of GHASH that uses polynomial arithmetic in G=F2128[x]/(x128+x127+x126+x121+1). This formulation helps parsing 128-bit strings as AES inputs/outputs and as field elements, in a consistent manner. It also leads naturally to several recent AES-GCM software optimizations which are now already in use by leading open source cryptographic libraries.

AB - AES-GCM authenticated encryption scheme has a significant role in modern secure communications. It combines AES CTR encryption with authentication that is based on a polynomial evaluation hash function (GHASH) computed in F2128[x]/PGCM(x), where PGCM(x) = x128+ x7+ x2+ x+ 1. AES-GCM operates on 128-bit strings: it views them as AES inputs/outputs for the encryption, and as elements in F2128 for the authentication. Unfortunately, the order of the bits, by which GHASH parses 128-bit strings as field elements is inconsistent with the way that AES uses 128-bit ciphertext/plaintext strings as arrays of 16 bytes. This leads to one of the following conclusions: a) GHASH does not operate directly on the ciphertext blocks. In this case, AES ciphertext blocks need to be bit-reflected before they are input to the GHASH computations; b) the field representation is not F2128[x]/PGCM(x). In this case, field multiplications are not directly expressed by polynomial arithmetic modulo PGCM(x). The specification AES-GCM bypasses this discrepancy by describing the GHASH field operations as bit-level algorithms, rather than in terms of polynomial arithmetic, as expected. We resolve the inconsistency by introducing a description of GHASH that uses polynomial arithmetic in G=F2128[x]/(x128+x127+x126+x121+1). This formulation helps parsing 128-bit strings as AES inputs/outputs and as field elements, in a consistent manner. It also leads naturally to several recent AES-GCM software optimizations which are now already in use by leading open source cryptographic libraries.

KW - AES-GCM

KW - finite field arithmetic

KW - software optimization

UR - http://www.scopus.com/inward/record.url?scp=85164953937&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-34671-2_30

DO - 10.1007/978-3-031-34671-2_30

M3 - Conference contribution

AN - SCOPUS:85164953937

SN - 9783031346705

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 424

EP - 438

BT - Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings

A2 - Dolev, Shlomi

A2 - Gudes, Ehud

A2 - Paillier, Pascal

PB - Springer Science and Business Media Deutschland GmbH

T2 - 7th International Symposium on Cyber Security, Cryptology, and Machine Learning, CSCML 2023

Y2 - 29 June 2023 through 30 June 2023

ER -

Gueron S. A New Interpretation for the GHASH Authenticator of AES-GCM. In Dolev S, Gudes E, Paillier P, editors, Cyber Security, Cryptology, and Machine Learning - 7th International Symposium, CSCML 2023, Proceedings. Springer Science and Business Media Deutschland GmbH. 2023. p. 424-438. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-34671-2_30