[Cryptography] [openpgp] OpenPGP SEIP downgrade attack
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Oct 8 10:59:15 EDT 2015
Werner Koch <wk at gnupg.org> writes:
>When taking up these trouble why got for a slow method whilst faster methods
>are available.
AES-GCM is only fast on CPUs with dedicated hardware support for it (PCLMULQDQ
on x86), it's actually quite slow in pure software (on x86 the slowdown is
about an order of magnitude). The figures are really all over the place
depending on what system it's running on, so it's a bit hard to generalise any
statement about it.
(It's also not clear whether someone encrypting a 10k email message with PGP
is going to notice it being processed at 100MB/s or 150MB/s).
>OCB works with all 128 bit block length ciphers and is faster than GCM.
It's also a lot more patented than GCM.
(I actually really like OCB and don't like GCM much, but the patent situation
makes it pretty problematic).
Peter.
More information about the cryptography
mailing list