From: Eric Biggers <ebiggers@kernel.org>
To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
Cc: "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"davem@davemloft.net" <davem@davemloft.net>
Subject: Re: ghash
Date: Fri, 19 Jul 2019 09:16:07 -0700 [thread overview]
Message-ID: <20190719161606.GA1422@gmail.com> (raw)
In-Reply-To: <MN2PR20MB29737F1F60B3CBACBC4BD287CACB0@MN2PR20MB2973.namprd20.prod.outlook.com>
On Fri, Jul 19, 2019 at 02:05:01PM +0000, Pascal Van Leeuwen wrote:
> Hi,
>
> While implementing GHASH support for the inside-secure driver and wondering why I couldn't get
> the test vectors to pass I have come to the conclusion that ghash-generic.c actually does *not*
> implement GHASH at all. It merely implements the underlying chained GF multiplication, which,
> I understand, is convenient as a building block for e.g. aes-gcm but is is NOT the full GHASH.
> Most importantly, it does NOT actually close the hash, so you can trivially add more data to the
> authenticated block (i.e. the resulting output cannot be used directly without external closing)
>
> GHASH is defined as GHASH(H,A,C) whereby you do this chained GF multiply on a block of AAD
> data padded to 16 byte alignment with zeroes, followed by a block of ciphertext padded to 16
> byte alignment with zeroes, followed by a block that contains both AAD and cipher length.
>
> See also https://en.wikipedia.org/wiki/Galois/Counter_Mode
>
> Regards,
> Pascal van Leeuwen
> Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
> www.insidesecure.com
>
Yes that's correct. The hash APIs don't support multi-argument hashes, so
there's no natural way for it to be "full GHASH". So it relies on the caller to
format the AAD and ciphertext into a single stream. IMO it really should be
called something like "ghash_core".
Do you have some question or suggestion, or was this just an observation?
- Eric
next prev parent reply other threads:[~2019-07-19 16:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-19 14:05 ghash Pascal Van Leeuwen
2019-07-19 16:16 ` Eric Biggers [this message]
2019-07-19 19:26 ` ghash Pascal Van Leeuwen
2019-07-19 19:56 ` ghash Eric Biggers
2019-07-19 20:49 ` ghash Pascal Van Leeuwen
2019-07-19 21:48 ` ghash Eric Biggers
2019-07-19 22:35 ` ghash Eric Biggers
2019-07-19 23:25 ` ghash Pascal Van Leeuwen
2019-07-19 23:09 ` ghash Pascal Van Leeuwen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190719161606.GA1422@gmail.com \
--to=ebiggers@kernel.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=pvanleeuwen@verimatrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.