> I think that any of OCB, CCM, or EAX are preferable from a security
> standpoint, but none of them parallelize as well. If you want to do
> a lot of encrypted and authenticated high-speed link encryption,
> well, there is likely no other answer. It's GCM or nothing.

OCB parallelizes very well in software and I see no reason it would
not also do so in hardware; each block of both the plaintext and
associated data can be processed independently of the others, and all
of OCB's operations (xor, GF(2^128) doubling, Grey codes) seem like
they would be well suited to a fast hardware implementation. And
actually McGrew and Viega's original 2003 paper on GCM specifically
mentions that OCB "scales to high speeds in hardware", though they do
not provide references to specific results.

The cryptography mailing list

Reply via email to