Keyed cryptographic (MAC)

GMAC

Galois Message Authentication Code , the standalone MAC variant of GCM (Galois/Counter Mode). Standardized by NIST in SP 800-38D (2007). Polynomial evaluation in GF(2¹²⁸) with the GHASH function, masked by an AES encryption of the nonce. Very fast on modern CPUs with AES-NI + CLMUL.

How it works

GMAC is “GCM without the encryption”: the data is interpreted as coefficients of a polynomial over GF(2¹²⁸), evaluated at a hash subkey H = AES_K(0). The result is masked with AES_K(nonce ‖ 1) to produce the tag. Effectively GHASH wrapped with AES-CTR-style masking.

At a glance

Where it is used

• AES-GCM in TLS 1.2 and 1.3 , GHASH is the authenticator.
• IPsec ESP-GCM , per-packet authenticator.
• SSH AES-GCM ciphers.
• Standalone GMAC , for authenticated-but-not-encrypted contexts.

The nonce-reuse landmine

GMAC is fragile against nonce reuse. If the same nonce is ever used twice with the same key, an attacker can recover the hash subkeyHfrom two valid tags, then forge tags freely. This is the same hazard GCM has , and the reason AES-GCM-SIV (SIV-mode AEAD) and ChaCha20-Poly1305 with random nonces are preferred for any application where unique nonces can’t be strictly enforced.

GMAC vs Poly1305

Both are polynomial-evaluation MACs over a 128-bit field. Poly1305 uses prime modulus 2¹³⁰ − 5; GMAC uses GF(2¹²⁸). Both are similarly fast; GMAC needs hardware CLMUL to match Poly1305’s portable speed. Both have the same one-time / per-nonce key freshness requirement.

References

• NIST SP 800-38D , Recommendation for Block Cipher Modes of Operation: GCM and GMAC
• RFC 4543 , AES-GMAC for ESP and AH
• Poly1305 · CMAC