6

As per my understanding, a Universal Hash Function isn't a cryptographic hash function & it's output isn't uniformly distributed. However, this is still secure because it's actually a family of functions & one or more of the random inputs to the function decides which function is actually picked from the family of functions & this is what makes it secure.

However, these are the Parameters to GHASH

$GHASH(H, A, C)$ where

$H = E(K, 0^w)$

$K$ is the encryption key & it's fixed, so a new one isn't picked every time, which means $H$ is also fixed.

$A$ is the Additional Authenticated Data

$C$ is the Ciphertext

So how exactly is this a universal hashing function - what is the family & how exactly are we randomly choosing from the family?

user93353
  • 2,348
  • 3
  • 28
  • 49

1 Answers1

1

Indeed $H=E_k(0)$ is used to choose from the family. This is not a problem, and here is some intuition on why.

The output of the hash function is not leaked in clear, it is "hidden" by xoring with $E_k(iv,ctr=0)$ which is different per each encrypted message (in contrast to $H=E_k(0)$). Otherwise it would be indeed trivial to recover H as the UHF is linear.

Intuitively, the property used is that UHF should be hard to blindly predict the difference for any two inputs without knowing the key, even with multiple attempts, but without revealing the UHF value on each attempt.

Note that the "difference" matters here because in forgery attempts you are allowed to reuse the nonce, so guessing the right difference would suffice for a break. For example, given $$(iv,m,t),~~ t=E_k(iv,ctr=0)\oplus GHASH(m))$$ and guessing the difference $\Delta = GHASH(m)\oplus GHASH(m')$ would allow to forge $$ (iv,m',t'),~~ t'=t\oplus \Delta=E_k(iv,ctr=0)\oplus GHASH(m'). $$

Fractalice
  • 3,107
  • 13
  • 10