Zooko provided a bunch of useful comments in private mail, which I've edited and forward for list consumption.
Zooko Wilcox-O'Hearn wrote:
EAX is in the same class as CCM. I think its slightly better. Also there is GCM mode, which is perhaps a tiny bit faster, although maybe not if you have to re-key every datagram. Not sure about the key-agility of these.
... I guess the IPv6 sec project has already specified such a thing in detail. I'm not familiar with their solution.
If you really want interop and wide adoption, then the obvious thing to do is backport IPsec to IPv4. Nobody can resist the authority of IETF!
Alternately, if you don't use a "combined mode" like EAX, then you should follow the "generic composition" cookbook from Bellare and Rogaway [1, 2].
Next time I do something like this for fun, I'll abandon AES entirely (whee! how exciting) and try Helix [3]. Also, I printed out this intriguing document yesterday [4]. Haven't read it yet. It focusses on higher-layer stuff -- freshness and sequencing.
Feel free to post to metzcrypt and give me credit for bringing the following four URLs to your attention.
[1] http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm#alternatives [2] http://www.cs.ucsd.edu/users/mihir/papers/oem.html [3] http://citeseer.ist.psu.edu/561058.html [4] http://citeseer.ist.psu.edu/661955.html
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
