On Tue, Apr 3, 2012 at 6:35 AM, ianG <[email protected]> wrote: > ... > To tip my hand here somewhat I'm thinking of GCM. > > (Digression.) Now, this thread was useful to me because I started reading > up on new modes and so forth, and combined that with my past experiences. > What I wanted was a fast AES mode coupled with a heavyweight keyed CRC for > opportunistic/DOS protection. > > Hey presto - GCM is that! (I think, haven't finished reading yet.) If you > look at the formula for Galois, it is basically a CRC expanded out to 128 > bits. Perfect! Fast!
more reasons to love GCM: easily pipelined and parallelized. Intel has PCLMULQDQ on die now. not patent encumbered. i often wonder why adoption is so slow. (cryptographers are conservative, they say) > When Zooko and I designed the random||counter||time construct > it is because we knew that some or many servers could get into a > pathological mode w.r.t. entropy. And saying "have good entropy" is like > telling teenaged girls not to hang around teenaged boys. *grin* regarding the crypto cracking rumors around the new NSA datacenter this seems a much more likely target. bad entropy by mistake or malfeasance, it is a problem everywhere. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
