Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-38D Rev. 1 (Initial Preliminary Draft)

Pre-Draft Call for Comments: GCM and GMAC Block Cipher Modes of Operation

Date Published: January 6, 2025
Comments Due: March 14, 2025
Email Comments to: ciphermodes@nist.gov

Author(s)

National Institute of Standards and Technology

Announcement

Summary

In March 2024, NIST announced its intention to revise NIST Special Publication (SP) 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (2007). See NIST’s Crypto Publication Review Project site ;for information about the review.

NIST requests public input on whether to specify variants of GCM that improve its suitability for today’s highest throughput applications. Two approaches are outlined in this announcement:

  1. Adapting GCM to the eventual approval of a block cipher with 256-bit blocks and
  2. Explicitly endorsing a suitable nonce-key generation method.

NIST requests public comments on whether to pursue one or both approaches. Comments may be submitted to ciphermodes@nist.gov by March 14, 2025, with the Subject “Comments on SP 800-38D.” Comments received in response to this request will be posted on this page after the due date. Submitters' names and affiliations (when provided) will be included, while contact information will be removed.

Details

Although GCM provides attractive performance in many respects, the number of invocations is limited to 232 if the random nonce generation method is employed.  Applications with sufficiently many invocations may, therefore, require frequent rekeying. This limitation was highlighted as a significant problem by participants at both recent public workshops on block cipher modes of operation.  As discussed at the workshops, there are two approaches for addressing this need relatively quickly. 

The first approach would be to develop a variant of GCM for a block cipher with 256-bit blocks, such as Rijndael-256, which NIST has proposed for eventual standardization. Such a variant could be a straightforward generalization of the GCM design in which the sizes of the nonce and counter fields are doubled. In this case, the invocation limit for random nonce generation could be set much higher. For example, a limit of 264 invocations would ensure a negligible probability of nonce repetition (about 2-64).

The second approach would be to consider proposals for deriving GCM key-nonce pairs, such as AES-XGCM [1], Double Nonce Derive Key AES-GCM (DNDK-GCM) [2], XAES-256-GCM [3], or others. Such a derivation function would probably be more straightforward to approve and deploy quickly. An important consideration is whether a security reduction proof exists or could be developed quickly to help determine appropriate usage bounds.

Another significant limitation of GCM is the potential compromise of the authentication subkey if nonces are ever repeated. Although NIST could consider developing a variant of GCM without this limitation, such a variant might have much less attractive performance. NIST envisions meeting this need with the development of an accordion mode instead. Similarly, an accordion mode would likely have less restrictive bounds on message sizes and the total number of input blocks.


*We have provided the following links because they have information that may be of interest to our users. NIST does not necessarily endorse the views expressed or the facts presented on these sites. Further, NIST does not endorse any commercial products that may be advertised or available on these sites.

[1] “Extending the AES-GCM Nonce Without Nightmare Fuel,” December 2022. Available at: https://soatok.blog/2022/12/21/extending-the-aes-gcm-nonce-without-nightmare-fuel/

[2] Shay Gueron, “Double Nonce Derive Key AES-GCM (DNDK-GCM),” October 2024. Available at: https://datatracker.ietf.org/doc/draft-gueron-cfrg-dndkgcm/00/

[3] Filippo Valsorda, “The XAES-256-GCM extended-nonce AEAD,” September 2024. Available at: https://c2sp.org/XAES-256-GCM

Abstract

Control Families

None selected

Documentation

Publication:
No Download Available

Supplemental Material:
None available

Document History:
01/06/25: SP 800-38D Rev. 1 (Draft)

Topics

Security and Privacy

encryption

Activities and Products

standards development