Maamoun TK <maamoun...@googlemail.com> writes: > subkey 'H' value is calculated by enciphering (usually using AES) a > sequence of ZERO data, then gcm_set_key() assign the calculated value > (subkey 'H') at the middle of TABLE array, that is TABLE[80],
And the reason for it being stored in the *middle* is the "unnatural" gcm bitorder. The C implementation uses the table for the gcm multiplication, using 8 bits at a time from one of the inputs as the table index. Conceptually, the H value belongs at index 1 in the table, 0000 0001 in binary, but in gcm's opposite bitorder world, that corresponds to 1000 0000. If I remember correctly, the implementation using 8 bit indexing, including the table layout, closely follows the original gcm papers. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
