ghash
| Crates.io | ghash |
| lib.rs | ghash |
| version | 0.6.0-rc.2 |
| created_at | 2016-10-06 21:35:47.726226+00 |
| updated_at | 2025-09-03 03:25:41.558784+00 |
| description | Universal hash over GF(2^128) useful for constructing a Message Authentication Code (MAC), as in the AES-GCM authenticated encryption cipher. |
| homepage | |
| repository | https://github.com/RustCrypto/universal-hashes |
| max_upload_size | |
| id | 6769 |
| size | 29,438 |
MACs (github:rustcrypto:macs)
documentation
README
RustCrypto: GHASH
GHASH is a universal hash function which operates over GF(2^128) and can be used for constructing a Message Authentication Code (MAC).
Its primary intended use is for implementing AES-GCM.
Security
⚠️ Warning: Hazmat!
Universal hash functions have subtle security properties and are primarily intended as a building block for constructions like AEAD algorithms.
USE AT YOUR OWN RISK!
Security Notes
This crate has received one security audit by NCC Group, with no significant findings. We would like to thank MobileCoin for funding the audit.
All implementations contained in the crate are designed to execute in constant time, either by relying on hardware intrinsics (i.e. AVX2 on x86/x86_64), or using a portable implementation which is only constant time on processors which implement constant-time multiplication.
It is not suitable for use on processors with a variable-time multiplication operation (e.g. short circuit on multiply-by-zero / multiply-by-one, such as certain 32-bit PowerPC CPUs and some non-ARM microcontrollers).
Implementation Notes
The implementation of GHASH found in this crate internally uses the
polyval crate, which provides a similar universal hash function used by
AES-GCM-SIV (RFC 8452).
By implementing GHASH in terms of POLYVAL, the two universal hash functions
can share a common core, meaning any optimization work (e.g. CPU-specific
SIMD implementations) which happens upstream in the polyval crate
benefits GHASH as well.
From RFC 8452 Appendix A:
GHASH and POLYVAL both operate in GF(2^128), although with different irreducible polynomials: POLYVAL works modulo x^128 + x^127 + x^126 + x^121 + 1 and GHASH works modulo x^128 + x^7 + x^2 + x + 1. Note that these irreducible polynomials are the "reverse" of each other.
License
Licensed under either of:
at your option.
Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.