On Fri, 2007-10-19 at 23:03 +0300, Mikko Herranen wrote: > (Here's a copy of a message I posted yesterday on the 'wrong' crypto > list. Sorry for any inconvenience this may have caused to those who > were cc'd.) > > > Hello, > > We've been wondering about a slight compatibility glitch between > CTR and GCM with Joy Latten. As CTR and GCM are very similar, the > way to go with GCM is obviously to implement it on top of CTR. > The problem is that CTR and GCM use different counter portion > values for the first encrypted plaintext block. (They both start > at 1 but GCM uses the first value for authentication.) > > How to communicate the different value to CTR? The best way seems to be > to spawn CTR as ctr(alg,0,16) in GCM and pass the contents > of the entire counter block in the IV. But then the size of the > counter portion will be set to 0 in CTR. We could modify CTR to > set the size of the counter portion to blocksize whenever > ivsize == blocksize. Or we could introduce an additional template > parameter for specifying the counter portion size. The former is > the easiest way to go if embedding a bit of GCM-specific code > inside CTR module is not a problem. Any opinions on this? I think the change to CTR would be simple. If noncesize + ivsize == blocksize, then use entire counterblock as counter and pass to ctr_inc_quad(). Currently, we just fail if noncesize + ivsize == blocksize. Let me know if this sounds ok, and I will code it. Regards, Joy - To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html