> With GCM, incrementing the counter is done in the library and not exposed for you to forget.
GCM has two counters, the message-block-counter (4 bytes), and the message counter / nonce (12 bytes). The former is inside the crypto library, the latter is supplied by the client and can be mismanaged like any other IV.
isn't this what happened to the ps3? the documentation said "use a random number" and they calculated it once and put it as a constant instead of...yah know...using a random number (each time)?
In the PS3 they lacked a real random number in ECSDA computation. That effectively broke the signature and actually made it possible to recover the private key.
GCM has two counters, the message-block-counter (4 bytes), and the message counter / nonce (12 bytes). The former is inside the crypto library, the latter is supplied by the client and can be mismanaged like any other IV.