1

I looked through NIST's official test vectors (CAVP) for the AES-GCM mode, and noticed that there are some test vectors in there with 8-bit or 1024-bit IVs. But as far as I understand, the GCM guideline specifically insists on using 96-bit IVs.

I took a glance at the SP 800-38D and found no clear guidelines on using these kinds of IVs. Section 8.2, which is dedicated to IV construction, says:

suppose that an implementation supports IV lengths of 64 bits, 96 bits, 128 bits, and 160 bits. For 64-bit IVs the only choice is the construction in Sec. 8.2.1. For the other three IV lengths, one possible combination of choices is the construction in Sec. 8.2.1 for 96-bit IVs and the construction in Sec. 8.2.2 for 128-bit and 160-bit IVs.

And section 8.2.2 mentions RBG-based Construction, but it gives no clear guideline on how exactly we are supposed to process a 1024-bit IV. I would appreciate a clear algorithmic guide for such IVs.

Toby Speight
  • 167
  • 8
polfosol
  • 201
  • 2
  • 8

1 Answers1

5

The processing of non-96-bit IVs are specified in and as part of the GCM algorithm in section 7. And as anyone can tell, non-96-bit IVs are ultimately compressed to 96-bit, which means they're effectively 96-bit IVs, and this is why most guidelines recommends using only IVs of exactly 96 bits.

DannyNiu
  • 9,207
  • 2
  • 24
  • 57