Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

Re: [P1619-1] P1619.1 Recirculation ends in one week (Sunday, Nov 4, 2007)

Hi Larry,

It is possible (and has always been possible) to implement a P1619.1-compliant solution that cannot be FIPS-certified.  Even so, the intention is that (with a little planning) you could have both P1619.1 compliance and FIPS. 

We removed the NIST GCM draft (800-38D) because it is not stable enough at this point for use as a normative reference.  However, my full expectation is that when NIST releases the final 800-38D, it will be compatible with the most commonly implemented subset of P1619.1.

I expect these differences (and possibly others) between P1619.1 GCM and NIST GCM:
  1. NIST will require that the device does not return any decrypted plaintext before checking the MAC (it's optional in P1619.1).
  2. NIST may not allow the 128-bit or longer IV that P1619.1 allows.
  3. NIST may require additional documentation up and beyond what P1619.1 requires for GCM.
  4. NIST will have slightly different requirements on the ways to prevent IV-collisions.  I believe that if the IV-generation is P1619.1-compatible, it should also be NIST-compatible (but it's not yet clear whether this will be 100%).
It's impossible to say what NIST will do in the end with 800-38D, but my expectation is that they'll try not to shake the industry too hard. :)


On 10/28/07, < > wrote:
    I noticed that the reference to the NIST doc for GCM is removed.  Do we know if following this standard allows a GCM implementation to be FIPS certified or not? 
I had thought that this standard would allow FIPS compliance. Is that still the case?

From: Matt Ball [mailto:matt.ball@IEEE.ORG]
Sent: Sunday, October 28, 2007 10:09 AM
Subject: [P1619-1] P1619.1 Recirculation ends in one week (Sunday, Nov 4, 2007)

Hi P1619.1 balloting members,

Please note that the P1619.1 recirculation ballot ends in one week (Sunday, Nov 4, 2007).  No action is required if you don't want to change your vote, but it's probably worth reviewing the new draft to make sure that the changes look satisfactory.  If you decide to change your vote or want to review the latest draft, you can log into the IEEE MyBallot system at this link:

< >

-Matt Ball
SISWG chair

Matt Ball