Hash: SHA1

On Sep 6, 2013, at 11:41 AM, "Jack Lloyd" <ll...@randombit.net> wrote:

>> I think that any of OCB, CCM, or EAX are preferable from a security
>> standpoint, but none of them parallelize as well. If you want to do
>> a lot of encrypted and authenticated high-speed link encryption,
>> well, there is likely no other answer. It's GCM or nothing.
> OCB parallelizes very well in software and I see no reason it would
> not also do so in hardware; each block of both the plaintext and
> associated data can be processed independently of the others, and all
> of OCB's operations (xor, GF(2^128) doubling, Grey codes) seem like
> they would be well suited to a fast hardware implementation. And
> actually McGrew and Viega's original 2003 paper on GCM specifically
> mentions that OCB "scales to high speeds in hardware", though they do
> not provide references to specific results.

I confess that I might not explain very well a controversy that I lie on a 
different side of -- I'm using CCM, myself. 

My above explanation is what GCM proponents have told me -- that if you are 
doing multiple high-speed streams and have hardware you can throw at it, then 
it's what you want. 

There is/was an additional OCB issue specifically that there is/was IP around 
it. Univ. of California has recently relaxed them, but it's still needlessly 
complex. I confess I tend to think of OCB as a footnote -- the cool thing we 
can't use -- only.

My decision tree is that I think in a perfect world, one would use OCB, but the 
IP nixes it. CCM was created specifically because it's not OCB, and EAX as an 
alternative to the alternative CCM. GCM is too easy to screw up and is slow in 
software (yes, there's galois multiply on Intel processors, but most of what I 
do is ARM). There's nothing wrong with EAX, but CCM is there and standardized 
in a number of places. Other people might end up with a different place for 
their own reasons. I don't think that any of them are bad, including the 
decision of using GCM and just making sure you do it right.


Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

The cryptography mailing list

Reply via email to