[144823] in cryptography@c2.net mail archive
Re: [cryptography] AES-GMAC as a hash
daemon@ATHENA.MIT.EDU (Eric Young)
Tue Sep 8 20:42:05 2009
Date: Sat, 05 Sep 2009 08:25:30 +1000
From: Eric Young <eay@pobox.com>
To: Darren J Moffat <Darren.Moffat@Sun.COM>
CC: cryptography@metzdowd.com
In-Reply-To: <4A969C23.5090007@Sun.COM>
Darren J Moffat wrote:
> Ignoring performance for now what is the consensus on the suitabilty
> of using AES-GMAC not as MAC but as a hash ?
>
> Would it be safe ?
>
> The "key" input to AES-GMAC would be something well known to the data
> and/or software.
>
> The only reason I'm asking is assuming it can be made to perform on
> some classes of machine better than or close to SHA256 if it would be
> worth considering as an available alternate now until SHA-3 is choosen.
>
Regarding the speed of GMAC, Intel has added a
carry-less-multiplication instruction to their next generation CPUs
(PCLMULQDQ)[1].
The core is the Westmere, and is shipping in engineering samples, now.
This is also the CPU generation to contain the AES instructions.
Unfortunately I'm only running my implementation under the intel
simulator which is not cycle accurate, so I'm not sure just how fast
this hardware support will make things. My understanding is that the
next generation AMD CPUs, (bulldozer) will also support these instructions.
eric
[1]
http://software.intel.com/en-us/articles/carry-less-multiplication-and-its-usage-for-computing-the-gcm-mode/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
