Peter Gutmann <[email protected]> writes: > This is why I referred to GCM as "brittle", you can be about as > abusive as you like with CBC and the worst you get is degradation to > ECB, while with GCM you make one mistake and you get a catastrophic > loss of security.
Couldn't you say the same about CTR mode, or stream ciphers themselves? Sure -- it's definitely a lot harder to screw up "incrementing a counter" than it is all the stuff GCM requires you to do, but.... Sincerely, -- Harlan Lieberman-Berg ~hlieberman _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
