Jon Callas <> writes:

>How do you feel (heh, I typoed that as "feal") about the other AEAD modes?

If it's not a stream cipher and doesn't fail catastrophically with IV reuse
then it's probably as good as any other mode.  Problem is that at the moment
modes like AES-CTR are being promulgated as fashion statements without any
consideration about operational deployment, when what we should be promoting
is something that's safely and effectively deployable.  Someblockcipher-CBC +
HMAC is a nice safe bet, run your HMAC, do a constant-time compare of the
result, toss the encrypted data if you get a verify failure, otherwise
decrypt, it's pretty straightforward.


The cryptography mailing list

Reply via email to