The GCM spec and AES instantiation of it needs a bit of work to meet our "gold standard" for specs. This was initially flagged in discussion on #75; see that PR for more details.
Some things to review:
[ ] There's a duplicated version (AES_256_GCM.cry and AES_GCM.cry). Determine whether we can remove this duplication or improve documentation to explain why we need two versions (maybe blocked on #77)
[ ] Consider rewriting GCM.cry in terms of Cipher so that the instantiation is simpler and it can be reused for other (non-AES) block ciphers
[ ] Consider making separate modules for different key sizes (AES256_GCM and AES128_GCM)
[ ] Review parameter choices to make sure they are as tight as the NIST spec requires
[ ] Check for properties defined in the NIST spec and make sure they are explicit in the cryptol spec
[ ] GCTR: if X is empty, the return value should be the empty string
[ ] Convert into a literate spec
[ ] Add warnings in the spec and readme about failure modes that Cryptol cannot prevent (IV reuse)
[ ] Switch to using options instead of record return
[ ] Note any additional proposed changes in this issue
The GCM spec and AES instantiation of it needs a bit of work to meet our "gold standard" for specs. This was initially flagged in discussion on #75; see that PR for more details.
Some things to review:
AES_256_GCM.cry
andAES_GCM.cry
). Determine whether we can remove this duplication or improve documentation to explain why we need two versions (maybe blocked on #77)GCM.cry
in terms ofCipher
so that the instantiation is simpler and it can be reused for other (non-AES) block ciphersAES256_GCM
andAES128_GCM
)X
is empty, the return value should be the empty string