I wanted to put out a quick correction to this e-mail I sent on Jan 5th: The actual GMAC specification requires hashing the IV if its length does not equal exactly 96 bits. As an example, a 64-bit IV gets hashed.
Sorry for the confusion. -Matt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Ball Sent: Thursday, January 05, 2006 10:17 AM To: Shai Halevi; SISWG Subject: RE: p1619.1 document (tape), draft version 0.4 Here are a couple comments on using an arbitrarily long IV: ----------------------------------------------------------- According to the GMAC specification here are the two ways to create Y0 (the first input into the AES engine): Y0 = IV || 0x00000001 (if length(IV) = 96 bits) Y0 = GHASH(H, {}, IV) (if length(IV) > 96 bits) (practically speaking, if length(IV) < 96 bits, then zero fill until length(IV) = 96 bits)