next AE cipher COLM?

Uri Blumenthal uri at
Fri May 18 04:16:44 CEST 2018

As a cryptographer and a mathematician, I find both GCM and OCB modes quite fine. In general, IMHO “counter based algorithms” (assuming you mean CTR mode) are the best performance-wise, and applicability-wise. Having formal mathematical proofs of correctness doesn’t hurt either (or did you notice?).

I fail to see any similarities with RC4, and cannot guess what lessons you might be referring to. Although, if you found a weakness in GCM mode - by all means, please share it with the wider audience. Or is it that you find it more difficult to code than ECB?

Any cryptographic software is “fiddly” if you pay (or if you *don’t* pay!) enough attention.

On May 17, 2018, at 14:16 , Robert J. Hansen <rjh at<mailto:rjh at>> wrote:

And please don't mention GCM - counter based algorithms are way too
brittle for solid cryptography.  Remember the RC4 lessons.

To say nothing of the implementation difficulty.  The more complex the algorithm, the less the chance it'll be implemented correctly.  As someone who's implemented GCM a couple of times, it's not a simple mode.  It's tremendously fiddly.  Complicated code leads to complicated failure modes and testing difficulties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-devel mailing list