# Block Cipher Modes

### GCM 要注意的小地方

NIST manual

#### 是 little endian

The convention for interpreting strings as polynomials is "little endian":

i.e., if u is the variable of the polynomial, then the block $x_0x_1 \cdots x_{127}$ corresponds to the polynomial $x_0 + x_1 u + x_2 u^2 + \cdots + x_{127} u^{127}$

NIST manual page 12

#### H 從哪來

The hash subkey, denoted H, is generated by applying the block cipher to the "zero" block

NIST manual page 10

$H = e_k(0)$

#### Galois Field 用到的 reduction modulus

Let R be the bit string $11100001 \ || \ 0^{120}$

NIST manual page 11

The reduction modulus is the polynomial of degree 128 that corresponds to $R \ || \ 1$

NIST manual page 12