<div dir="auto"><div data-smartmail="gmail_signature" dir="auto"><br></div><div class="gmail_extra" dir="auto"><br><div class="gmail_quote">Den 18 okt. 2017 21:09 skrev "Peter Gutmann" <<a href="mailto:pgut001@cs.auckland.ac.nz">pgut001@cs.auckland.ac.nz</a>>:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="quoted-text">Salz, Rich <<a href="mailto:rsalz@akamai.com">rsalz@akamai.com</a>> writes:<br>
<br>
>> yet another reason why RC4-equivalent<br>
>> ciphers like GCM should be banned (we finally got rid of RC4, and now we're<br>
>> busy reintroducing it under another name)<br>
><br>
>For the benefit of similar non-experts on this list, I just want to point out<br>
>that Peter’s assertion that GCM is just like RC4 is one that is not widely<br>
>shared.<br>
<br>
</div> RC4 is a stream cipher for which key/nonce reuse results in a catastrophic<br>
failure of the cryptosystem.<br>
<br>
GCM is a stream cipher for which key/nonce reuse results in a catastrophic<br>
failure of the cryptosystem.<br>
<br>
For the benefit of similar non-experts on this list, could you please point<br>
out which cryptographers disagree with that? Since the view that they fail<br>
the same way is one that is not widely shared, there must be lots of names you<br>
can cite to support this.<br>
<br>
(The reason for asking for names is so I can avoid any cryptosystem they've<br>
designed)</blockquote></div></div><div dir="auto"><br></div><div dir="auto">While I do agree that stream ciphers should be avoided whenever you can not guarantee perfect key management and nonce generation, that's clearly not what his comment was about.</div><div dir="auto"><br></div><div dir="auto">The main difference between the two is that RC4 can be cracked even without nonce repetition occurring, as in the now infamous WEP standard.</div><div dir="auto"><br></div><div dir="auto">You can not do that with AES-GCM, and even less so with GCM-SIV mode which also adds some limited misuse resistance (tolerates some number of nonce repetitions). </div></div>