AES-GMAC as a hash

Matt Ball matt.ball at
Tue Sep 1 12:37:24 EDT 2009

On Thu, Aug 27, 2009 at 8:45 AM, Darren J Moffat wrote:
> Ignoring performance for now what is the consensus on the suitabilty of using AES-GMAC not as MAC but as a hash ?
> Would it be safe ?
> The "key" input to AES-GMAC would be something well known to the data and/or software.
> The only reason I'm asking is assuming it can be made to perform on some classes of machine better than or close to SHA256 if it would be worth considering as an available alternate now until SHA-3 is choosen.

In the 2005 Security in Storage Workshop (see, David McGrew proposed using GMAC to
protect large dynamic data sets, such a random access memory (RAM)
(see  The general
idea is to use the linear characteristics of GMAC to dynamically
update the MAC when updating a memory address.  If your use-case is
similar to this approach, then it would be possible to securely use

However, there are many caveats when using GMAC, so it's vitally
important to understand all the constraints.


Matt Ball, Chair, IEEE P1619 Security in Storage Working Group
Staff Engineer, Sun Microsystems, Inc.
500 Eldorado Blvd, Bldg #5 BRM05-212, Broomfield, CO 80021
Work: 303-272-7580, Cell: 303-717-2717

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list