-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sep 6, 2013, at 11:41 AM, "Jack Lloyd" <ll...@randombit.net> wrote:
>
>> I think that any of OCB, CCM, or EAX are preferable from a security
>> standpoint, but none of them parallelize as well. If you want to do
>> a lot of encrypted and authenticated high-speed link encryption,
>> well, there is likely no other answer. It's GCM or nothing.
>
> OCB parallelizes very well in software and I see no reason it would
> not also do so in hardware; each block of both the plaintext and
> associated data can be processed independently of the others, and all
> of OCB's operations (xor, GF(2^128) doubling, Grey codes) seem like
> they would be well suited to a fast hardware implementation. And
> actually McGrew and Viega's original 2003 paper on GCM specifically
> mentions that OCB "scales to high speeds in hardware", though they do
> not provide references to specific results.
I confess that I might not explain very well a controversy that I lie on a
different side of -- I'm using CCM, myself.
My above explanation is what GCM proponents have told me -- that if you are
doing multiple high-speed streams and have hardware you can throw at it, then
it's what you want.
There is/was an additional OCB issue specifically that there is/was IP around
it. Univ. of California has recently relaxed them, but it's still needlessly
complex. I confess I tend to think of OCB as a footnote -- the cool thing we
can't use -- only.
My decision tree is that I think in a perfect world, one would use OCB, but the
IP nixes it. CCM was created specifically because it's not OCB, and EAX as an
alternative to the alternative CCM. GCM is too easy to screw up and is slow in
software (yes, there's galois multiply on Intel processors, but most of what I
do is ARM). There's nothing wrong with EAX, but CCM is there and standardized
in a number of places. Other people might end up with a different place for
their own reasons. I don't think that any of them are bad, including the
decision of using GCM and just making sure you do it right.
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii
wj8DBQFSKm8XsTedWZOD3gYRAjUuAKC2sqp6C0wCrg+KydfhroBjYahqjwCgo+4d
tLx/6e9TaWxRuknLWHEvF5w=
=M7s8
-----END PGP SIGNATURE-----
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
