Skip to content

Add DNDK-GCM without key commitment #757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
script3r wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add DNDK-GCM without key commitment #757

script3r wants to merge 1 commit into from

Conversation

@script3r
Copy link

@script3r script3r commented Dec 27, 2025
edited
Loading

Summary

  • add DNDK-GCM (Double Nonce Derive Key AES-GCM) with 24-byte nonces and no key commitment (KC_Choice=0)
  • include the draft Appendix A2 test vector
  • add a DNDK-GCM Criterion benchmark

Context

DNDK-GCM is specified in draft-gueron-cfrg-dndkgcm (IETF Internet-Draft). It derives a fresh AES-256-GCM key from a 32-byte root key and the first 15 bytes of a 24-byte nonce, then uses the remaining 12 bytes as the GCM IV.

Implementation Notes

  • derive_key_and_iv implements Algorithm 1 with KC_Choice=0: pad nonce to 27 bytes, split head/tail, compute B0..B2, AES-256 under the root key, then XOR with X0 to form the derived key.
  • AES-GCM runs with the derived key and 12-byte IV to produce ciphertext and tag.

Testing

  • cargo test -p dndk-gcm

@script3r script3r marked this pull request as ready for review December 28, 2025 03:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@script3r