AES-GMAC as a hash

Darren J Moffat Darren.Moffat at Sun.COM
Tue Sep 1 05:39:21 EDT 2009

Hal Finney wrote:
> Darren J Moffat <Darren.Moffat at Sun.COM> asks:
>> Ignoring performance for now what is the consensus on the suitabilty of 
>> using AES-GMAC not as MAC but as a hash ?
>> Would it be safe ?
>> The "key" input to AES-GMAC would be something well known to the data 
>> and/or software.
> No, I don't think this would work. In general, giving a MAC a fixed key
> cannot be expected to produce a good hash. With AES-GMAC in particular,
> it is unusual in that it has a third input (besides key and data to MAC),
> an IV, which makes your well-known-key strategy problematic. And even as a
> MAC, it is very important that a given key/IV pair never be reused. Fixing
> a value for the key and perhaps IV would defeat this provision.
> But even ignoring all that, GMAC amounts to a linear combination of
> the text blocks - they are the coefficients of a polynomial. The reason
> you can get away with it in GMAC is because the polynomial variable is
> secret, it is based on the key. So you don't know how things are being
> combined. But with a known key and IV, there would be no security at all.
> It would be linear like a CRC.

Thanks, that is pretty much what I suspected would be the answer but you 
have more detail than I could muster in my head at a first pass on this.


Darren J Moffat

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list