On 2 February 2015 at 11:46, Jason Gerfen <jason.ger...@gmail.com> wrote: > According to documentation provided about the OCB mode of AES it says the > following: > > Section 3: The scheme >> >> The tag length is an integer τ ∈ [0 .. n]. ... As for the tag length, a >> suggested default of τ = 64 is reasonable. Tags of 32 bits are standard in >> retail banking. Tags of 96 bits are used in IPSec. Using a tag of more than >> 80 bits adds questionable security benefit, though it does lengthen each >> cipher text.
In Rogaway's own OCB FAQ it states: The number τ, the tag length of the scheme, is, like the blockcipher E, a parameter of the mode. It’s a number 0 ≤ τ ≤ 128. http://web.cs.ucdavis.edu/~rogaway/ocb/ocb-faq.htm > The GCM mode is somewhat different regarding the allowed tag length(s). > > Section 5.2.1.2 Output Data >> >> The bit length of the tag, denoted t, is a security parameter, as >> discussed in Appendix B. In general, t may be any one of the following five >> values: 128, 120, 112, 104, or 96. For certain applications, t may be 64 or >> 32; guidance for the use of these two tag lengths, including requirements on >> the length of the input data and the lifetime of the key in these cases, is >> given in Appendix C. So in both of these cases the largest tag size is 128 bits (corresponds to the length of 16 that I mentioned - bits -> bytes). A tag length of 16 is a safe assumption if we don't want to allow the user to specify, however it could prevent interop with other applications, if they require a tag of a different length. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
