On Tue, Apr 3, 2012 at 4:10 PM, Wyss, Felix <[email protected]> wrote: >> -----Original Message----- >> From: coderman [mailto:[email protected]] >> Sent: Tuesday, April 03, 2012 15:23 >> To: Wyss, Felix >> Cc: ianG; [email protected] >> Subject: Re: [cryptography] "Combined" cipher modes >> >> On Tue, Apr 3, 2012 at 12:02 PM, Wyss, Felix <[email protected]> wrote: >> >... >> > Maybe being conservative is warranted: >> >http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/F >> >erguson2.pdf >> >> don't use GCM wrong? short tags are bad. changing tag lengths are bad. >> use 128bit tags. >> >> reminds me of CTR mode arguments... > > I think that is a dangerous assertion as it is generally understood > (assumed?) that shorter tags don't weaken the authentication worse than to > 1/2^n. The fact that GCM more or less breaks if you don't use the full tag > size IMHO makes it brittle and certainly fails to meet the "principle of > least surprise". > EAX' (EAX Prime) suffered the same fate with its 32-bit tags. Its currently used in the Smart Grid. http://eprint.iacr.org/2012/018.
Jeff _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
