Does GHASH use XOR or addition?

Question

I've been looking into GHASH and some sites describe it as a polynomial:

A1*(H* *M-1)+A2*(H* *M-2)...C1*H(H* *M-N)+C2*H(H* *(M-N-1))...+len(A||C)*H+E(0)=t

while other sites replace the + with the XOR symbol, ^:

A1*(H* *M-1)^A2*(H* *M-2)...C1*H(H* *M-N)^C2*H(H* *(M-N-1))...^len(A||C)^H+E(0)=t

Which one is the correct one?

See also: https://crypto.stackexchange.com/questions/2700/galois-fields-in-cryptography — Ilmari Karonen, May 11 '18 at 16:43

score 6 · Answer 1 · answered May 11 '18 at 16:05

6

There is no difference in this context. XOR is sometimes called "carryless addition" because one bit addition mod 2 is identical to the one bit XOR operation. Multiplication is also carryless in this context.

answered May 11 '18 at 16:05

Future Security

3,313
1
8
26

1

+1 for the term "carryless addition" which isn't present in Conrado's answer (which is an identical but more detailed answer). – Maarten Bodewes May 12 '18 at 01:32

score 6 · Answer 2 · edited May 12 '18 at 13:13

GHASH operates on polynomials with coefficients in the two-element finite field $\operatorname{GF}(2)$ (which you can interpret as numbers modulo 2). Each coefficient is represented as a bit.

To add two of these polynomials you just need to add each pair of coefficients. Addition in $\operatorname{GF}(2)$ is the same as addition modulo 2, which is the same as xor. Therefore, to add two of these polynomials, you just need to compute the xor of their representations; that's why both "+" and "^" are used for the same operation.

Does GHASH use XOR or addition?

2 Answers2