Abstract. This work presents a new method to compute the GHASH function involved in the Galois/Counter Mode of operation for block ciphers. If X = X1 . . . Xn is a bit string made of n blocks of 128 bits each, then the GHASH function effectively computes X1Hn + X2Hn−1 + . . . XnH, where H is an element of the binary field F2128 . This operation is usually computed by using n successive multiplyadd operations over F2128 . In this work, we propose a method to replace all but a fixed number of those multiplications by additions on the field. This is achieved by using the characteristic polynomial of H. We present both how to use this polynomial to speed up the GHASH function and how to efficiently compute it for each session that uses a new H.
Nicolas Meloni, Christophe Nègre, M. Anwar