AES Modes

Ian Grigg iang at
Mon Oct 11 08:08:13 EDT 2004

Zooko provided a bunch of useful comments in private mail,
which I've edited and forward for list consumption.

Zooko Wilcox-O'Hearn wrote:

> EAX is in the same class as CCM.  I think its slightly better.  Also 
> there is GCM mode, which is perhaps a tiny bit faster, although maybe 
> not if you have to re-key every datagram.  Not sure about the 
> key-agility of these.
> ... I guess the IPv6 sec project has already specified such a thing in 
> detail.  I'm not familiar with their solution.
> If you really want interop and wide adoption, then the obvious thing to 
> do is backport IPsec to IPv4.  Nobody can resist the authority of IETF!
> Alternately, if you don't use a "combined mode" like EAX, then you 
> should follow the "generic composition" cookbook from Bellare and 
> Rogaway [1, 2].
> Next time I do something like this for fun, I'll abandon AES entirely 
> (whee!  how exciting) and try Helix [3].  Also, I printed out this 
> intriguing document yesterday [4].  Haven't read it yet.  It focusses on 
> higher-layer stuff -- freshness and sequencing.

> Feel free to post to metzcrypt and give me credit for bringing the 
> following four URLs to your attention.
> [1]
> [2]
> [3]
> [4]

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list