**Note:** This ballot was opened for revision 00 and is now closed.

**Ballot question:** "Is this the correct conflict review response?"

Thank you to the authors for making this algorithm available in English! I believe there is sufficient detail included that I could implement the algorithm on top of the block cipher primitive (though I did not, and did not verify the test vectors). I only have some minor nit-level editorial comments about the document; no response to them is expected. NITS Section 3 (x) the transformation that maps two strings X = (x_{n-1}, ... , x_0) in V_n and Y = (y_{n-1}, ... , y_0) in V_n into the string Z = X (x) Y = (z_{n-1}, ... , z_0) in V_n; the string Z corresponds to the polynomial Z(w) = z_{n-1} * w^{n-1} + ... + z_1 * w + z_0 which is a result of the polynomials X(w) = x_{n-1} * w^{n-1} + ... + x_1 * w + x_0 and Y(w) = y_{n-1} * w^{n-1} + ... + y_1 * w + y_0 multiplication in the field GF(2^n), where n is the block size of the used block cipher; I think we want "which is the result of multiplying the polynomials X(w) [...] and Y(w) [...] in the field GF(2^n)" Section 4.1 In a very pedantic sense, the definitions for the decompositions of A and P into components is not properly defined for the case when there is less than a complete block of input, since the breakdowns assume there will be an A_1 (respectively, P_1) and equivalently that h-1 and q-1 are valid indices in the 1-indexed system. But it seems unlikely that anyone will actually be confused by the current formulation and I don't recommend any change. (Similarly for the decryption inputs.) can provide a string A of zero length. The length of the associated data A and of the plaintext P MUST be such that 0 < |A| + |P| < 2^{n/2}. It might be worth giving some reasoning for why it's forbidden to have an empty plaintext (with no additional data), since in some protocols it is useful to have an explicit authenticated "empty message" sentinel. Section 4.2 There's a little skew between the definition of A in §4.1 and here. The definite article looks fine to use here since there is a definite AAD associated with a given ciphertext, but the explicit condition "if |A| > 0, then" may be worth keeping. (Similarly for "If |C| > 0, then [...]".) 5. The authenticated tag T in V_S. Should this be "authenticated" or "authentication"? Section 5 I think "inverse-free" should be hyphenated in all instances. Availability of precomputations for the MGM means the possibility to calculate H_i and E_K(Y_i) even before data is retrieved. It is holds due to again the usage of counters for calculating them. s/It is holds due to again/It holds again due to/ Section 6 (side note) I expect the focus of new IETF work to be on nonce-misuse-resistant modes, but that in no way detracts from the value of having the MGM reference available in this form. I wonder if it is worth reiterating the requirement that |A| < 2^{n/2} and |P| < 2^{n/2} along with description of what fails if the limit is exceeded.