AES GCM mode - what is ouput in that scheme?

tf flag

I'm trying to understand that scheme:

enter image description here

Here on page 11 it looks like GHASH gives only one value "Return $Y_m$":

After hashing several subsequent blocks. It make no sense to me. If I understand it well every GF128_mult(H) is one block of our output, right? So the stream is consisted of consequtive blocks GF128_mult(H). Am I right or it works in different way? From scheme above it looks like our result (all bits generated for the stream) are just "tag", which seem not to be true.

Or maybe this how it works? We convert all input blocks in one 128-bit tag? And send it as a ciphered message? Then to send every amount of data, we just need 128-bit block? I don't think it works that way, then it is not possible to decrypt it.

sa flag

The ciphertext block $k$ is obtained by blockwise XOR of the output block $k$ with the plaintext block $k$ [happens in the middle layer of the diagram] for $k=1,2,\ldots,\textrm{len}.$ The ciphertexts are chained together using the GF128_mult mechanism to generate a single authentication tag at the end which is also transmitted. Like in normal counter mode, blocks are numbered sequentially, and then this block number is combined with an initialization vector (IV) and encrypted with a block cipher E, usually AES. The result of this encryption is then XORed with the plaintext to produce the ciphertext. Like all counter modes, this is essentially a stream cipher, and so it is essential that a different IV is used for each stream that is encrypted.

The ciphertext blocks are considered coefficients of a polynomial which is then evaluated at a key-dependent point H, using finite field arithmetic. The result is then encrypted, producing an authentication tag that can be used to verify the integrity of the data. The encrypted text then contains the IV, ciphertext, and authentication tag.

Tom avatar
tf flag
So what I saw on this scheme was right. It produces only one block - authentication tag. And if I remember right CTR mode ciphertexts are made in the same way like in GCM, the only difference here is GHASH for authentication tag.

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.