> On Tue, Apr 3, 2012 at 12:02 PM, Wyss, Felix <[email protected]> wrote: >>... >> Maybe being conservative is warranted: >> http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf > > don't use GCM wrong? short tags are bad. changing tag lengths are > bad. use 128bit tags.
If you use 128 bit tags and follow the 96 bit IV recommendation, the gains of GCM over classic AES-CBC with HMAC-MD5 or HMAC-SHA1 are somewhat limited, saving between 12 bytes or 16 bytes on per-message overhead (assuming that GCM lacks padding, which I haven't checked). 28 bytes of overhead remain. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
