> -----Original Message----- > From: coderman [mailto:[email protected]] > Sent: Tuesday, April 03, 2012 15:23 > To: Wyss, Felix > Cc: ianG; [email protected] > Subject: Re: [cryptography] "Combined" cipher modes > > On Tue, Apr 3, 2012 at 12:02 PM, Wyss, Felix <[email protected]> wrote: > >... > > Maybe being conservative is warranted: > >http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/F > >erguson2.pdf > > don't use GCM wrong? short tags are bad. changing tag lengths are bad. > use 128bit tags. > > reminds me of CTR mode arguments...
I think that is a dangerous assertion as it is generally understood (assumed?) that shorter tags don't weaken the authentication worse than to 1/2^n. The fact that GCM more or less breaks if you don't use the full tag size IMHO makes it brittle and certainly fails to meet the "principle of least surprise". Supposedly, SGCM (http://eprint.iacr.org/2011/326.pdf) doesn't have these deficiencies (and can be implemented efficiently without custom instructions like PCLMULQDQ). A bit new for my taste, though. --Felix _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
