RFC5116, "An Interface and Algorithms for Authenticated Encryption", January 2008

Source of RFC: IETF - NON WORKING GROUP
Area Assignment: sec

Errata ID: 4008

Status: Reported
Type: Technical

Reported By: Tapio Sokura
Date Reported: 2014-06-08

Section 2.2 says:

The
authenticated decrypt operation will, with high probability, return
FAIL whenever the inputs N, P, and A were crafted by a nonce-
respecting adversary that does not know the secret key (assuming that
the AEAD algorithm is secure).

It should say:

The
authenticated decrypt operation will, with high probability, return
FAIL whenever the inputs N, C, and A were crafted by a nonce-
respecting adversary that does not know the secret key (assuming that
the AEAD algorithm is secure).

Notes:

Inputs to the authenticated decrypt operation do not include plaintext P, but instead includes ciphertext C.

Errata ID: 4268

Status: Reported
Type: Editorial

Reported By: Martin Thomson
Date Reported: 2015-02-09

Section 3.1 says:

As an example, the nonce 100 could be stored, after which the nonces
1 through 99 could be used for encryption. The nonce value 200 could
be stored at the same time that nonces 1 through 99 are being used,
and so on.

It should say:

As an example, the nonce 100 could be stored, after which the nonces
1 through 99 could be used for encryption. The nonce value 200 could
be stored at the same time that nonces 101 through 199 are being used,
and so on.

Notes:

This might be confusing in its original form, maybe even suggesting an interpretation where nonces are reused.