Jon Callas <[email protected]> writes: >(Personally, I don't like GCM. I think it's too tetchy. But I'm pretty blase >about PKCS#1, because I'm used to pouring over it to make sure it's done >right.)
Same here. GCM combines the scariest features of CTR mode (it's RC4 all over again, apart from SSL people have managed to get that wrong almost everywhere it's been used) and GHASH (all the side-channels you can eat). With CBC+HMAC we at least know what we're getting and can defend against it, with GCM there's years of attacks still waiting to be published. Peter. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
