linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers@kernel.org>
To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
Cc: "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"davem@davemloft.net" <davem@davemloft.net>
Subject: Re: ghash
Date: Fri, 19 Jul 2019 09:16:07 -0700	[thread overview]
Message-ID: <20190719161606.GA1422@gmail.com> (raw)
In-Reply-To: <MN2PR20MB29737F1F60B3CBACBC4BD287CACB0@MN2PR20MB2973.namprd20.prod.outlook.com>

On Fri, Jul 19, 2019 at 02:05:01PM +0000, Pascal Van Leeuwen wrote:
> Hi,
> 
> While implementing GHASH support for the inside-secure driver and wondering why I couldn't get 
> the test vectors to pass I have come to the conclusion that ghash-generic.c actually does *not*
> implement GHASH at all. It merely implements the underlying chained GF multiplication, which,
> I understand, is convenient as a building block for e.g. aes-gcm but is is NOT the full GHASH.
> Most importantly, it does NOT actually close the hash, so you can trivially add more data to the
> authenticated block (i.e. the resulting output cannot be used directly without external closing)
> 
> GHASH is defined as GHASH(H,A,C) whereby you do this chained GF multiply on a block of AAD
> data padded to 16 byte alignment with zeroes, followed by a block of ciphertext padded to 16
> byte alignment with zeroes, followed by a block that contains both AAD and cipher length.
> 
> See also https://en.wikipedia.org/wiki/Galois/Counter_Mode
> 
> Regards,
> Pascal van Leeuwen
> Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
> www.insidesecure.com
> 

Yes that's correct.  The hash APIs don't support multi-argument hashes, so
there's no natural way for it to be "full GHASH".  So it relies on the caller to
format the AAD and ciphertext into a single stream.  IMO it really should be
called something like "ghash_core".

Do you have some question or suggestion, or was this just an observation?

- Eric

  reply	other threads:[~2019-07-19 16:16 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-19 14:05 ghash Pascal Van Leeuwen
2019-07-19 16:16 ` Eric Biggers [this message]
2019-07-19 19:26   ` ghash Pascal Van Leeuwen
2019-07-19 19:56     ` ghash Eric Biggers
2019-07-19 20:49       ` ghash Pascal Van Leeuwen
2019-07-19 21:48         ` ghash Eric Biggers
2019-07-19 22:35           ` ghash Eric Biggers
2019-07-19 23:25             ` ghash Pascal Van Leeuwen
2019-07-19 23:09           ` ghash Pascal Van Leeuwen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190719161606.GA1422@gmail.com \
    --to=ebiggers@kernel.org \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    --cc=pvanleeuwen@verimatrix.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).