2013.03.26 20:09:40 (316628033190625280) from Daniel J. Bernstein, replying to "Matthew Green (@matthew_d_green)" (316612026413748224):
If this code had been added to NaCl (or SUPERCOP) then the bug would have been caught automatically by two of NaCl's tests. @matthew_d_green
2013.03.26 19:06:04 (316612026413748224) from "Matthew Green (@matthew_d_green)":
It baffles me why we use AES-GCM, an algorithm that nobody likes or understands, or can even implement correctly. http://eprint.iacr.org/2013/157.pdf