One GCM implementation pitfall posted March 2017

If you look at Go's implementation of GCM, in particular this, you can see that the counter is set to nonce||1:

if len(nonce) == gcmStandardNonceSize {
    // Init counter to nonce||1
    copy(counter[:], nonce)
    counter[gcmBlockSize-1] = 1
}

It needs to be. Without it, the first block of keystream is the encryption of 0 if the nonce is 0 (which can happen if nonces are generated from a counter). The encryption of 0 is also... the authentication key!

Well done! You've reached the end of my post. Now you can leave a comment or read something else.

Here are some random popular articles:

- Database Encryption
- BEAST: An Explanation of the CBC Attack on TLS
- Proof of Elgamal's semantic security using a reduction to DDH
- Let's Encrypt Overview
- What are x509 certificates? RFC? ASN.1? DER?
- A New Public-Key Cryptosystem via Mersenne Numbers
- Hash-Based Signatures Part I: One-Time Signatures (OTS)

Here are some random recent articles:

- A journey into zero-knowledge proofs
- Two And A Half Coins #7 - It's time to talk about Ethereum
- An introduction to multi-party computation (videos)
- Two And A Half Coins #8 - Consensus protocols, Bitcoin, Fastpay, and Linera with Mathieu Baudet
- I talked about ZK security on the first episode of Node Guardians season 2!
- The case against slashing?
- Want to learn more about zkBitcoin? I've made some videos

One GCM implementation pitfall posted March 2017

Comments

leave a comment...

One GCM implementation pitfall posted March 2017

Comments

leave a comment...

Subscribe to the mailing list