Possibly incorrect counter overflow handling for AES-GCM

NIIBE Yutaka gniibe at fsij.org
Tue Jan 30 12:21:04 CET 2018

Clemens.Lang at bmw.de wrote:
> Note that you will also have to use the same key K to trigger the behavior. This is because the initial counter value J_0 is calculated from the given IV using the GHASH function, which uses the hash subkey H = CIPH_K(0^128).
> Just for the record, I tested this with 1.8.2 and 1.7.6.

Ah, I see.  I created a ticket:


I was naively read your previous message which addressed section 7.1,
algorithm 4, step 3 of the document.  It is actually section 6.5,
algorithm 3, step 5, which matters.

I'll create a test case in libgcrypt/tests/ and fix.

Since I'm going to travel, it will be next week.

More information about the Gcrypt-devel mailing list