next AE cipher COLM?

Uri Blumenthal uri at mit.edu
Fri May 18 12:56:01 CEST 2018 

If nonce reuse is a concern (which really shouldn't apply to OpenPGP or S/MIME, because each message should get its own unique random symmetric key - so the likelihood of collision is rather low), there's AES-GCM-SIV that's misuse-resistant (again, comes with security proofs).

OCB had been released to some open source, and if need be - one can ask Phil Rogaway to make an explicit statement on its use in GnuPG (my gut feeling is he'd be happy to permit it). And yes, OCB shows excellent performance even on CPUs without AES-NI and PCMUL.

P.S. Did but look at COLM - swamped with real work (plus: if I find a problem - it means it's broken; if I find no issue - it means nothing). COLM may be the best thing since sliced bread, but I personally prefer something with a longer history.

Sent from my test iPhone

> On May 18, 2018, at 04:22, Werner Koch <wk at gnupg.org> wrote:
> 
> On Fri, 18 May 2018 04:16, uri at mit.edu said:
> 
>> I fail to see any similarities with RC4, and cannot guess what lessons
>> you might be referring to. Although, if you found a weakness in GCM
> 
> RC4 has so many preconditions for safe use that it has never been used
> in a safe way.  But it was easy to implement.
> 
> GCM is of course easier to use and way better designed but still the
> reuse of the IV with the same key leaks the plaintext.  And it is the
> most complicated mode to implement which I consider bad for security.
> 
> OCB is a clean and simple design which does not leak the plaintest on
> accidental IV reuse.
> 
> 
> Shalom-Salam,
> 
>   Werner
> 
> 
> 
> p.s. 
> I have received questions on performance.  Here is what Libgcrypt master
> yields on a i5-2410M using AES (enc has additional data):
> 
>           |  nanosecs/byte   mebibytes/sec   cycles/byte
>   CBC enc |      1.79 ns/B       531 MiB/s      4.13 c/B    S/MIME
>   CBC dec |      0.28 ns/B      3472 MiB/s      0.63 c/B    
>   CFB enc |      1.77 ns/B       538 MiB/s      4.08 c/B    OpenPGP (rfc4880)
>   CFB dec |      0.27 ns/B      3562 MiB/s      0.62 c/B
>   CCM enc |      1.80 ns/B       531 MiB/s      4.13 c/B
>   CCM dec |      2.07 ns/B       462 MiB/s      4.75 c/B
>   EAX enc |      1.79 ns/B       531 MiB/s      4.13 c/B    rfc4880bis
>   EAX dec |      2.07 ns/B       461 MiB/s      4.75 c/B
>   GCM enc |      0.68 ns/B      1413 MiB/s      1.55 c/B
>   GCM dec |      0.95 ns/B      1008 MiB/s      2.18 c/B
>   OCB enc |      0.28 ns/B      3360 MiB/s      0.65 c/B    rfc4880bis
>   OCB dec |      0.30 ns/B      3148 MiB/s      0.70 c/B
> 
> -- 
> #  Please read:  Daniel Ellsberg - The Doomsday Machine  #
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list