I attach below an alternative text for the IV-collision section of 1619.1. Other than extensive editorial changes, the main algorithmic differences are:
(a) I mandate key-transform, (b) I explicitly describe (and mandate) the notion of an "IV sequence", where you generate one IV in some manner (e.g., at random) and then generate many others from this first one in some systematic way, (c) I restrict the FormatSpecific field to be at most 15 bytes. Using a longer field means that we rely on SHA256 to be collision-resistant, and we really don't want to do that. -- Shai
P1619.1.sec6.doc
Description: MS-Word document
