GrabYourPitchforks
commented
5 years ago For reference, this is described in the newly-published RFC 8452. We're currently in conversations with other crypto teams throughout the company as to what it might look like to get this plumbed all the way through the stack. But for now I've milestoned this to Future because I don't anticipate much progress in the immediate future.
According to @agl__, this would reduce the impact of nonce-reuse (referenced in https://github.com/dotnet/corefx/issues/7023#issuecomment-199605081), while still using hardware AES-GCM instructions.