link to NIST GCM PDF where NIST recommends 96-bit IV for perf with GCM

Clarify that 96-bit IV is only recommended in performance critical
situations...otherwise feel free to use something longer.

1 files changed, 7 insertions, 5 deletions

diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index bb0308bc..8d8d558b 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -342,11 +342,12 @@ Modes
 
     :param bytes initialization_vector: Must be random bytes. They do not need
                                         to be kept secret (they can be included
-                                        in a transmitted message). Recommended
-                                        to be 96-bit by NIST, but can be up to
-                                        2\ :sup:`64` - 1 bits. Do not reuse an
-                                        ``initialization_vector`` with a given
-                                        ``key``.
+                                        in a transmitted message). NIST
+                                        `recommends 96-bit IV length`_ for
+                                        performance critical situations, but it
+                                        can be up to 2\ :sup:`64` - 1 bits.
+                                        Do not reuse an ``initialization_vector``
+                                        with a given ``key``.
 
     :param bytes tag: The tag bytes to verify during decryption. Must be provided
                       for decryption, but is ignored when encrypting.
@@ -384,3 +385,4 @@ Insecure Modes
 
 
 .. _`described by Colin Percival`: http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
+.. _`recommends 96-bit IV length`: http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-spec.pdf