> I think that any of OCB, CCM, or EAX are preferable from a security > standpoint, but none of them parallelize as well. If you want to do > a lot of encrypted and authenticated high-speed link encryption, > well, there is likely no other answer. It's GCM or nothing.
OCB parallelizes very well in software and I see no reason it would not also do so in hardware; each block of both the plaintext and associated data can be processed independently of the others, and all of OCB's operations (xor, GF(2^128) doubling, Grey codes) seem like they would be well suited to a fast hardware implementation. And actually McGrew and Viega's original 2003 paper on GCM specifically mentions that OCB "scales to high speeds in hardware", though they do not provide references to specific results. Jack _______________________________________________ The cryptography mailing list email@example.com http://www.metzdowd.com/mailman/listinfo/cryptography