Yes, it was discussed. From my recollections it actually predated GCM.
The rational was in the text and was edited out at the last revision.
The rational is
1) CCM has a smaller hardware and software footprint for
implementations that do not need the performance GCM.
2) A side issue (that will not be relevant for long) is that CCM is
FIPS certified and GCM is still in process. There is a small
possibility that when GCM comes out, there may be subtle restrictions
that may or may not affect the GCM specification that we choose.
On Jan 6, 2006, at 9:05 PM, Landon Noll wrote:
We have some challenges.
The CCM spec does not allow long IVs.
Thinking out loud... If we do not want to use SHA-1, would it be
possible to K2 = E_k1(id) or K2 = E_id(k11) where k1 is the key
provided, id is a 16 byte is vendor unique (or standard name) and K2
is the actual media key. This way, we don't introduce a new
algorithm
into the standard? (more algorithms, more potential weaknesses).
Can we just drop CCM from the draft at this time?
I was surprised to find CCM added to the draft that
was presented at the last working group meeting. I assume that
adding CCM was discussed before I joined the mailing list.
If so, sorry!
So, why do we need both CCM and GCM? If someone really wants to keep
CCM, then please send out some Rationale text that would be suitable
for inclusion into the appendix.
chongo () /\oo/\
