GHASH: universal hash over GF(2^128) used by AES-GCM for message authentication (i.e. GMAC).
The implementation of GHASH found in this crate internally uses the
polyval crate, which provides a similar universal hash function used by
AES-GCM-SIV (RFC 8452).
By implementing GHASH in terms of POLYVAL, the two universal hash functions
can share a common core, meaning any optimization work (e.g. CPU-specific
SIMD implementations) which happens upstream in the
benefits GHASH as well.
From RFC 8452 Appendix A: https://tools.ietf.org/html/rfc8452#appendix-A
GHASH and POLYVAL both operate in GF(2^128), although with different irreducible polynomials: POLYVAL works modulo x^128 + x^127 + x^126 + x^121 + 1 and GHASH works modulo x^128 + x^7 + x^2 + x + 1. Note that these irreducible polynomials are the "reverse" of each other.
GHASH: universal hash over GF(2^128) used by AES-GCM.
GHASH blocks (16-bytes)
GHASH keys (16-bytes)
GHASH tags (16-bytes)