[cryptography] AES-GMAC as a hash
Eric Young
eay at pobox.com
Fri Sep 4 18:25:30 EDT 2009
Darren J Moffat wrote:
> Ignoring performance for now what is the consensus on the suitabilty
> of using AES-GMAC not as MAC but as a hash ?
>
> Would it be safe ?
>
> The "key" input to AES-GMAC would be something well known to the data
> and/or software.
>
> The only reason I'm asking is assuming it can be made to perform on
> some classes of machine better than or close to SHA256 if it would be
> worth considering as an available alternate now until SHA-3 is choosen.
>
Regarding the speed of GMAC, Intel has added a
carry-less-multiplication instruction to their next generation CPUs
(PCLMULQDQ)[1].
The core is the Westmere, and is shipping in engineering samples, now.
This is also the CPU generation to contain the AES instructions.
Unfortunately I'm only running my implementation under the intel
simulator which is not cycle accurate, so I'm not sure just how fast
this hardware support will make things. My understanding is that the
next generation AMD CPUs, (bulldozer) will also support these instructions.
eric
[1]
http://software.intel.com/en-us/articles/carry-less-multiplication-and-its-usage-for-computing-the-gcm-mode/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list