> > Hmm, NIST SP 800-38D actually defines GHASH to take one argument, same as the > Linux version. So even outside Linux, there is no consensus on whether "GHASH" > refers to the one argument or two argument versions. > Funny, I just stumbled upon that 2007 NIST specification myself minutes ago, before I saw this mail. So yes, it looks like they redefined GHASH from the original 2005 McGrew/Viega definition there, although I don't have a clue as to why ... Must've been after our initial hardware implementation though, since all of our hardware strictly implements it according to the original McGrew/Viega definition (which is also still surviving on Wikipedia) > I.e. even if we had an API where the AAD and ciphertext were passed in > separately, which is apparently what you'd prefer, people would complain that it > doesn't match the NIST standard version. > Prefer is a big word ... it's just that our hardware cannot do unformatted GHASH that way as that was not the specification at the time we implemented it. And that redefinition went totally unnoticed. > Of course, in the end the actually important thing is that everyone agrees on > GCM, not that they agree on GHASH. > As long as GHASH is not being used for much else, probably. And in either case, the crypto API implementation is flexible as it just pushes all the formatting out. Our hardware, on the other hand :-( Regards, Pascal van Leeuwen Silicon IP Architect, Multi-Protocol Engines @ Verimatrix www.insidesecure.com