next AE cipher COLM?
Werner Koch
wk at gnupg.org
Fri May 18 10:12:53 CEST 2018
On Fri, 18 May 2018 04:16, uri at mit.edu said:
> I fail to see any similarities with RC4, and cannot guess what lessons
> you might be referring to. Although, if you found a weakness in GCM
RC4 has so many preconditions for safe use that it has never been used
in a safe way. But it was easy to implement.
GCM is of course easier to use and way better designed but still the
reuse of the IV with the same key leaks the plaintext. And it is the
most complicated mode to implement which I consider bad for security.
OCB is a clean and simple design which does not leak the plaintest on
accidental IV reuse.
Shalom-Salam,
Werner
p.s.
I have received questions on performance. Here is what Libgcrypt master
yields on a i5-2410M using AES (enc has additional data):
| nanosecs/byte mebibytes/sec cycles/byte
CBC enc | 1.79 ns/B 531 MiB/s 4.13 c/B S/MIME
CBC dec | 0.28 ns/B 3472 MiB/s 0.63 c/B
CFB enc | 1.77 ns/B 538 MiB/s 4.08 c/B OpenPGP (rfc4880)
CFB dec | 0.27 ns/B 3562 MiB/s 0.62 c/B
CCM enc | 1.80 ns/B 531 MiB/s 4.13 c/B
CCM dec | 2.07 ns/B 462 MiB/s 4.75 c/B
EAX enc | 1.79 ns/B 531 MiB/s 4.13 c/B rfc4880bis
EAX dec | 2.07 ns/B 461 MiB/s 4.75 c/B
GCM enc | 0.68 ns/B 1413 MiB/s 1.55 c/B
GCM dec | 0.95 ns/B 1008 MiB/s 2.18 c/B
OCB enc | 0.28 ns/B 3360 MiB/s 0.65 c/B rfc4880bis
OCB dec | 0.30 ns/B 3148 MiB/s 0.70 c/B
--
# Please read: Daniel Ellsberg - The Doomsday Machine #
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20180518/42e7aa12/attachment.sig>
More information about the Gnupg-devel
mailing list