Zooko provided a bunch of useful comments in private mail,
which I've edited and forward for list consumption.
Zooko Wilcox-O'Hearn wrote:
EAX is in the same class as CCM. I think its slightly better. Also
there is GCM mode, which is perhaps a tiny bit faster, although maybe
not if you have to re-key every datagram. Not sure about the
key-agility of these.
... I guess the IPv6 sec project has already specified such a thing in
detail. I'm not familiar with their solution.
If you really want interop and wide adoption, then the obvious thing to
do is backport IPsec to IPv4. Nobody can resist the authority of IETF!
Alternately, if you don't use a "combined mode" like EAX, then you
should follow the "generic composition" cookbook from Bellare and
Rogaway [1, 2].
Next time I do something like this for fun, I'll abandon AES entirely
(whee! how exciting) and try Helix [3]. Also, I printed out this
intriguing document yesterday [4]. Haven't read it yet. It focusses on
higher-layer stuff -- freshness and sequencing.
Feel free to post to metzcrypt and give me credit for bringing the
following four URLs to your attention.
[1] http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm#alternatives
[2] http://www.cs.ucsd.edu/users/mihir/papers/oem.html
[3] http://citeseer.ist.psu.edu/561058.html
[4] http://citeseer.ist.psu.edu/661955.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]