Hi Everyone,
I just discovered that Morris Dworkin has recently published a NIST draft standard for GCM! Here's a link to the draft:
<http://csrc.nist.gov/publications/drafts/Draft-NIST_SP800-38D_Public_Comment.pdf>
(Please mail any comments to [EMAIL PROTECTED] The comment period ends on June 5th, 2006, so don't wait too long.)
I plan to update the GCM reference in the next P1619.1 draft to use SP 800-38D instead of the GCM proposal, if that sounds good to everyone.
I just looked through SP 800-38D, and noticed a couple interesting points:
- The 'recommended' tag length (T) is 96 bits, although the standard allows 128 bits. (I remember that the workgroup was thinking NIST would require the full 128 bits...). I bet this was intended for IPSec.
- The Galois multiplier uses 'little endian' bit order. I forget off-hand whether this is the same as the original GCM proposal, but I can double-check.
- There is more description of the 'GMAC' mode.
- There is a section on 'Protection Against Replay of Messages'. This is more for IPSec, but it still applies somewhat to encryption of data on media.
- No test vectors! All the other SP 800-38 documents have test vectors.
Does anyone else have thoughts? I'll read through this more thoroughly later this week to see if we need to make any functional changes.
-Matt
Title: P1619.1: NIST publishes draft standard for GCM mode (SP 800-38D)
- Re: Next P1619/1619.1 Meeting james hughes
- RE: Next P1619/1619.1 Meeting Rob Ewan
- RE: Next P1619/1619.1 Meeting Matt Ball
- RE: Next P1619/1619.1 Meeting Serge Plotkin
- Re: Next P1619/1619.1 Meeting Fabio Maino
- RE: Next P1619/1619.1 Meeting laszlo
- Re: Next P1619/1619.1 Meeting james hughes
- RE: Next P1619/1619.1 Meeting Kolovson, Curt
- RE: Next P1619/1619.1 Meeting Eric Hibbard
- RE: Next P1619/1619.1 Meeting Landon Noll
- P1619.1: NIST publishes draft standard for GCM mode (S... Matt Ball
- Re: Next P1619/1619.1 Meeting Shai Halevi
- RE: Next P1619/1619.1 Meeting Matt Ball
- Re: Next P1619/1619.1 Meeting Jon Buckingham