AES-GCM and AEAD Protected Data Packet (IETF draft)

[Tankred Hase]

Hi again,

> Am 23.03.2016 um 22:56 schrieb Werner Koch <wk at gnupg.org>:
> 
> On Wed, 23 Mar 2016 03:20, mail at tankredhase.de said:
> 
>> wanted to get the GnuPG community's thoughts. Making GCM the new
>> standard mode for symmetric encryption would give us a modern and
>> performant alternative to OpenPGP's CFB mode. Especially with regards
> 
> As I mentioned on the WG list, I would really like to see OCB used for
> OpenPGP.  OCB is far superior over any other AE modes.  There are no
> software patent issues even for closed source software with the
> exception for those whose business it is to kill people.

I've done some research concerning patents. It seems OCB is not unencumbered by patents [1][2] while GCM is patent free [3][4]. A least according to Wikipedia and Matthew Green’s blog...

"GCM. Galois Counter Mode has quietly become the most popular AE(AD) mode in the field today, despite the fact that everyone hates it. The popularity is due in part to the fact that GCM is extremely fast, but mostly it's because the mode is patent-free. GCM is 'on-line' and can be parallelized, and (best): recent versions of OpenSSL and Crypto++ provide good implementations, mostly because it's now supported as a TLS ciphersuite. As a side benefit, GCM will occasionally visit your house and fix broken appliances."

Would this change your perception of GCM in regards to GnuPG adoption?

Thanks,
Tankred

[1] https://en.wikipedia.org/wiki/OCB_mode#Patents
[2] http://crypto.stackexchange.com/questions/5639/why-is-ocb-aes-mode-not-becoming-a-standard-for-authenticated-encryption
[3] https://en.wikipedia.org/wiki/Galois/Counter_Mode#Patents
[4] http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html