David-Sarah Hopwood wrote: > Darren J Moffat wrote: >> Zooko Wilcox-O'Hearn wrote: >>> Have you worked out the birthday paradox consequences for a 96-bit IV? >> GCM mode will GHASH any IV larger than 96 bits down to 96 bits anyway >> and 96 bit is considered the "default" IV size. > > Note that GCM mode should never be used with an IV other than 96 bits, > because of the weakness described in section 2.4 of > <http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf>.
Also, section 3 of <http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf> describes an attack against GCM with repeated IV when the attacker can obtain more than one collision (but still only a small number of collisions). -- David-Sarah Hopwood ? http://davidsarah.livejournal.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 292 bytes Desc: OpenPGP digital signature URL: <http://mail.opensolaris.org/pipermail/zfs-crypto-discuss/attachments/20091215/0202fd71/attachment.bin>
