High performance GHASH and impacts of a class of unconventional bases

  • Nicolas Méloni
  • Christophe Negre
  • M. Anwar Hasan
Regular Paper


This work presents a new method to compute the GHASH function involved in the Galois/Counter Mode of operation for block ciphers. If \({X= X_1\ldots X_n}\) is a bit string made of n blocks of 128 bits each, then the GHASH function essentially computes \({X_1H^n + X_2H^{n-1} + \cdots+ X_nH}\) , where H is the hash key and an element of the binary field \({\mathbb{F}_{2^{128}}}\) . This operation is usually computed using n successive multiply-and-add operations over \({\mathbb{F}_{2^{128}}}\) . Our proposed method replaces all but a fixed number of those multiplications by additions on the field. This is achieved using the characteristic polynomial of H. We present both how to use this polynomial to speed up the GHASH function and how to efficiently compute it for each session that uses a new H. We also show that the proposed technique can be parallelized to compute GHASH even faster. In order to completely eliminate the need for a field multiplication, we investigate a different set of bases for the field element representation and report their architectural and possible security impacts.


Galois/Counter mode GHASH function Characteristic polynomial Basis representation 


  1. 1.
    Bajard, J.-C., Imbert, L., Jullien, G.A.: Parallel Montgomery multiplication in GF (2k) using trinomial residue arithmetic. In: Proceedings of 17th IEEE Symposium on Computer Arithmetic (ARITH), pp. 164–171 (2005)Google Scholar
  2. 2.
    Bulens P., Standaert F.-X., Quisquater J.-J., Pellegrin P., Rouvroy G.: Implementation of the AES-128 on Virtex-5 FPGAs. In: Progress in Cryptology—AFRICACRYPT. LNCS, vol. 5023, pp. 16–26. Springer, Berlin (2008)Google Scholar
  3. 3.
    Fan H., Hasan M.A.: A new approach to subquadratic space complexity parallel multipliers for extended binary fields. IEEE Trans. Comput. 56(2), 224–233 (2007)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Good T., Benaissa M.: AES on FPGA from the fastest to the smallest. In: Cryptographic Hardware and Embedded Systems—CHES. LNCS, vol. 3659, pp. 427–440. Springer, Berlin (2005)Google Scholar
  5. 5.
    Gordon J.A.: Very simple method to find the minimum polynomial of an arbitrary nonzero element of a finite field. Electron. Lett. 12(25), 663–664 (1976)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Jarvinen K.U., Tommiska M.T., Skyttae J.O.: A fully pipelined memoryless 17.8 Gbps AES-128 encryptor. In: International symposium on Field programmable gate arrays—FPGA, pp. 207–215. ACM, New York (2003)Google Scholar
  7. 7.
    Lemsitzer S., Wolkerstorfer J., Felber N., Braendli M.: Multi-Gigabit GCM-AES Architecture Optimized for FPGAs. In: Cryptographic Hardware and Embedded Systems—CHES, vol. 4727, pp. 227–238. Springer, Berlin (2007)Google Scholar
  8. 8.
    Mastrovito, E.D.: VLSI Architectures for Computation in Galois Fields. PhD thesis, Dept. of Electrical Eng., Link ping Univ., Sweden (1991)Google Scholar
  9. 9.
    McGrew D.A., Viega J.: The Security and Performance of the Galois/Counter Mode (GCM) of Operation. In: INDOCRYPT. LNCS, vol. 3348, pp. 343–355 (2004)Google Scholar
  10. 10.
    McGrew, D.A., Viega, J.: The Galois/Counter Mode of Operation (GCM) (2005)Google Scholar
  11. 11.
    Meloni, N., Negre, C., Hasan, M.A.: High performance GHASH function for Galois/Counter Mode. In: Applied Cryptography and Network Security (ACNS), Beijing, China. LNCS, vol. 6123 (2010)Google Scholar
  12. 12.
    NIST: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC (2007)Google Scholar
  13. 13.
    Paar C.: A new architecture for a parallel finite field multiplier with low complexity based on composite fields. IEEE Trans. Comput. 45(7), 856–861 (1996)MathSciNetzbMATHCrossRefGoogle Scholar
  14. 14.
    Patel, P.: Parallel multiplier designs for the Galois/counter mode of operation. Master’s thesis, Electrical and Computer Engineering, University of Waterloo (2008)Google Scholar
  15. 15.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Proceedings of the 9th ACM Conference on Computer and Communications Security, pp. 98–107 (2002)Google Scholar
  16. 16.
    Sarkar P.: Efficient tweakable enciphering schemes from (block-wise) universal hash functions. IEEE Trans. Inform. Theory 55(10), 4749–4760 (2009)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Satoh, A.: High-speed hardware architectures for authenticated encryption mode GCM. In: IEEE International Symposium on Circuits and Systems—ISCAS, pp. 4831–4834 (2006)Google Scholar
  18. 18.
    Satoh, A.: High-Speed Parallel Hardware Architecture for Galois Counter Mode. In: IEEE International Symposium on Circuits and Systems—ISCAS, pp. 1863–1866 (2007)Google Scholar
  19. 19.
    Sugawara T., Aoki T.: High-Speed Pipelined Hardware Architecture for Galois Counter Mode. In: 10th International Conference—ISC. LNCS, vol. 4779, pp. 1863–1866. Springer, Berlin (2007)Google Scholar
  20. 20.
    Standaert F.X., Rouvroy G., Quisquater J.-J., Legat J.-D: Efficient implementation of Rijndael encryption in reconfigurable hardware: improvements and design tradeoffs. In: Cryptographic Hardware and Embedded Systems—CHES. LNCS, vol. 2779, pp. 334–350. Springer, Berlin (2003)Google Scholar

Copyright information

© Springer-Verlag 2011

Authors and Affiliations

  • Nicolas Méloni
    • 1
  • Christophe Negre
    • 2
    • 3
    • 4
  • M. Anwar Hasan
    • 5
  1. 1.Université de ToulonToulonFrance
  2. 2.ECE DepartmentUniversity of WaterlooWaterlooCanada
  3. 3.LIRMMUniversité Montpellier 2MontpellierFrance
  4. 4.Team DALIUniversité de PerpignanPerpignanFrance
  5. 5.Department of Electrical and Computer EngineeringUniversity of WaterlooWaterlooCanada

Personalised recommendations