From: Eric Biggers <ebiggers@kernel.org>
To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
Cc: "linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"davem@davemloft.net" <davem@davemloft.net>
Subject: Re: ghash
Date: Fri, 19 Jul 2019 09:16:07 -0700 [thread overview]
Message-ID: <20190719161606.GA1422@gmail.com> (raw)
In-Reply-To: <MN2PR20MB29737F1F60B3CBACBC4BD287CACB0@MN2PR20MB2973.namprd20.prod.outlook.com>
On Fri, Jul 19, 2019 at 02:05:01PM +0000, Pascal Van Leeuwen wrote:
> Hi,
>
> While implementing GHASH support for the inside-secure driver and wondering why I couldn't get
> the test vectors to pass I have come to the conclusion that ghash-generic.c actually does *not*
> implement GHASH at all. It merely implements the underlying chained GF multiplication, which,
> I understand, is convenient as a building block for e.g. aes-gcm but is is NOT the full GHASH.
> Most importantly, it does NOT actually close the hash, so you can trivially add more data to the
> authenticated block (i.e. the resulting output cannot be used directly without external closing)
>
> GHASH is defined as GHASH(H,A,C) whereby you do this chained GF multiply on a block of AAD
> data padded to 16 byte alignment with zeroes, followed by a block of ciphertext padded to 16
> byte alignment with zeroes, followed by a block that contains both AAD and cipher length.
>
> See also https://en.wikipedia.org/wiki/Galois/Counter_Mode
>
> Regards,
> Pascal van Leeuwen
> Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
> www.insidesecure.com
>
Yes that's correct. The hash APIs don't support multi-argument hashes, so
there's no natural way for it to be "full GHASH". So it relies on the caller to
format the AAD and ciphertext into a single stream. IMO it really should be
called something like "ghash_core".
Do you have some question or suggestion, or was this just an observation?
- Eric
next prev parent reply other threads:[~2019-07-19 16:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-19 14:05 ghash Pascal Van Leeuwen
2019-07-19 16:16 ` Eric Biggers [this message]
2019-07-19 19:26 ` ghash Pascal Van Leeuwen
2019-07-19 19:56 ` ghash Eric Biggers
2019-07-19 20:49 ` ghash Pascal Van Leeuwen
2019-07-19 21:48 ` ghash Eric Biggers
2019-07-19 22:35 ` ghash Eric Biggers
2019-07-19 23:25 ` ghash Pascal Van Leeuwen
2019-07-19 23:09 ` ghash Pascal Van Leeuwen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190719161606.GA1422@gmail.com \
--to=ebiggers@kernel.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=pvanleeuwen@verimatrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).