Home

GHASH

GHASH (Galois Hash) is a universal hash function defined over the finite field GF(2^128) and used as the authentication component of the Galois/Counter Mode (GCM) of operation for block ciphers such as AES. The construction takes a sequence of data blocks, multiplies each block by a pre‑computed hash subkey H (derived by encrypting the all‑zero block with the underlying cipher), and accumulates the results using XOR operations. The multiplication is performed in the binary field using polynomial multiplication modulo the irreducible polynomial x^128 + x^7 + x^2 + x + 1.

In GCM, GHASH processes both the ciphertext and any additional authenticated data (AAD) to produce a 128‑bit

Security of GHASH relies on the secrecy of the hash subkey H; for a random key, the

GHASH is specified in NIST Special Publication 800‑38D and has been incorporated into many cryptographic libraries,

authentication
tag.
The
tag
is
then
combined
with
the
encrypted
counter
block
to
provide
confidentiality
and
integrity
in
a
single
pass.
Because
the
field
operations
are
efficiently
implementable
on
modern
processors,
GHASH
enables
high‑throughput
authenticated
encryption
with
low
latency.
probability
of
a
collision
in
the
hash
output
is
bounded
by
2^−128,
making
forgery
attacks
infeasible
under
standard
assumptions.
However,
misuse
of
the
same
key
for
both
encryption
and
authentication
or
reuse
of
the
same
IV
across
messages
can
undermine
security.
including
OpenSSL,
BoringSSL,
and
cryptographic
hardware
accelerators.
Its
lightweight
arithmetic
makes
it
suitable
for
constrained
environments
such
as
embedded
systems
and
high‑speed
network
appliances.