IETF conflict review for draft-smyshlyaev-mgm
conflict-review-smyshlyaev-mgm-00

The following approval message was sent
From: The IESG
To: Adrian Farrel ,
    draft-smyshlyaev-mgm@ietf.org,
    rfc-ise@rfc-editor.org
Cc: IETF-Announce ,
    The IESG ,
    iana@iana.org
Subject: Results of IETF-conflict review for draft-smyshlyaev-mgm-19

The IESG has completed a review of draft-smyshlyaev-mgm-19 consistent with
RFC5742.

The IESG has no problem with the publication of 'Multilinear Galois Mode
(MGM)'  as an Informational RFC.

The IESG has concluded that there is no conflict between this document and
IETF work.

The IESG would also like the Independent Submissions Editor to review the
comments in the datatracker related to this document and determine whether or
not they merit incorporation into the document. Comments may exist in both
the ballot and the history log.

The IESG review is documented at:
https://datatracker.ietf.org/doc/conflict-review-smyshlyaev-mgm/

A URL of the reviewed Internet Draft is:
https://datatracker.ietf.org/doc/draft-smyshlyaev-mgm/

The process for such documents is described at
https://www.rfc-editor.org/indsubs.html

Thank you,

The IESG Secretary

[Ballot comment]
Thank you to the authors for making this algorithm available in English!
I believe there is sufficient detail included that I could implement the
algorithm on top of the block cipher primitive (though I did not, and
did not verify the test vectors).

I only have some minor nit-level editorial comments about the document;
no response to them is expected.

NITS

Section 3

  (x)    the transformation that maps two strings X = (x_{n-1}, ... ,
          x_0) in V_n and Y = (y_{n-1}, ... , y_0) in V_n into the
          string Z = X (x) Y = (z_{n-1}, ... , z_0) in V_n; the string
          Z corresponds to the polynomial Z(w) = z_{n-1} * w^{n-1} +
          ... + z_1 * w + z_0 which is a result of the polynomials X(w)
          = x_{n-1} * w^{n-1} + ... + x_1 * w + x_0 and Y(w) = y_{n-1}
          * w^{n-1} + ... + y_1 * w + y_0 multiplication in the field
          GF(2^n), where n is the block size of the used block cipher;

I think we want "which is the result of multiplying the polynomials X(w)
[...] and Y(w) [...] in the field GF(2^n)"

Section 4.1

In a very pedantic sense, the definitions for the decompositions of A
and P into components is not properly defined for the case when there is
less than a complete block of input, since the breakdowns assume there
will be an A_1 (respectively, P_1) and equivalently that h-1 and q-1 are
valid indices in the 1-indexed system.  But it seems unlikely that
anyone will actually be confused by the current formulation and I don't
recommend any change.

(Similarly for the decryption inputs.)

  can provide a string A of zero length.  The length of the associated
  data A and of the plaintext P MUST be such that 0 < |A| + |P| <
  2^{n/2}.

It might be worth giving some reasoning for why it's forbidden to have
an empty plaintext (with no additional data), since in some protocols it
is useful to have an explicit authenticated "empty message" sentinel.

Section 4.2

There's a little skew between the definition of A in §4.1 and here.  The
definite article looks fine to use here since there is a definite AAD
associated with a given ciphertext, but the explicit condition "if |A| >
0, then" may be worth keeping.

(Similarly for "If |C| > 0, then [...]".)

  5.  The authenticated tag T in V_S.

Should this be "authenticated" or "authentication"?

Section 5

I think "inverse-free" should be hyphenated in all instances.

  Availability of precomputations for the MGM means the possibility to
  calculate H_i and E_K(Y_i) even before data is retrieved.  It is
  holds due to again the usage of counters for calculating them.

s/It is holds due to again/It holds again due to/

Section 6

(side note) I expect the focus of new IETF work to be on
nonce-misuse-resistant modes, but that in no way detracts from the value
of having the MGM reference available in this form.

I wonder if it is worth reiterating the requirement that |A| < 2^{n/2}
and |P| < 2^{n/2} along with description of what fails if the limit is
exceeded.