AES-GCM and AEAD Protected Data Packet (IETF draft)

Werner Koch wk at
Thu Mar 24 20:20:57 CET 2016

On Thu, 24 Mar 2016 11:41, mail at said:

> Crypto primitives written in JS are widely considered to be insecure
> due to timing attack vectors. This is why the WebCrypto api was

and due to lot of other reasons.  But this is not a JavaScript specific
thing but matter of fact for all software implementations.

> NSS and OpenSSL/BoringSSL that already include primitives like
> AES-GCM. These are well tested and subject to release process with

You may want to read

  From: Peter Gutmann <pgut001 at>
  On the Impending Crypto Monoculture
  A number of IETF standards groups are currently in the process of
  applying the second-system effect to redesigning their crypto
  protocols.  A major feature of these changes includes the dropping of
  traditional encryption algorithms and mechanisms like RSA, DH,
  ECDH/ECDSA, SHA-2, and AES, for a completely different set of
  mechanisms, including Curve25519 (designed by Dan Bernstein et al),
  EdDSA (Bernstein and colleagues), Poly1305 (Bernstein again) and
  ChaCha20 (by, you guessed it, Bernstein).
  What's more, the reference implementations of these algorithms also
  come from Dan Bernstein (again with help from others), leading to a
  never-before-seen crypto monoculture in which it's possible that the
  entire algorithm suite used by a security protocol, and the entire
  implementation of that suite, all originate from one person.
  How on earth did it come to this?
and watch out for his remarks on GCM.

Let me comment on Peter's statement that OCB won't be used out legal
fears.  That might indeed be the case for License 2 (proprietary but
non-military use) [1].  But both, License 1 (Free Software) and License
3 (OpenSSL), grant all rights to such software implementations of OCB
without any restrictions.  Now, given that Free Software is one of the
imperative features of trustworthy security software, a License 2 based
implementation won't be trustworthy anyway.

Well, for non-software implementations one-time fees are still demanded.
I do not consider this a major problem because by selling hardware you
have to pay a lot of other fees as well.  Using free software on FPGAs
would be a bit tricky but there are ways to work around with just some
performance degradation.

This the reason why I hope for wider adaption of OCB mode.  I do not
want to see RC4 in new clothes in OpenPGP.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list