AES Modes
Ian Grigg
iang at systemics.com
Mon Oct 11 08:08:13 EDT 2004
Zooko provided a bunch of useful comments in private mail,
which I've edited and forward for list consumption.
Zooko Wilcox-O'Hearn wrote:
> EAX is in the same class as CCM. I think its slightly better. Also
> there is GCM mode, which is perhaps a tiny bit faster, although maybe
> not if you have to re-key every datagram. Not sure about the
> key-agility of these.
>
> ... I guess the IPv6 sec project has already specified such a thing in
> detail. I'm not familiar with their solution.
>
> If you really want interop and wide adoption, then the obvious thing to
> do is backport IPsec to IPv4. Nobody can resist the authority of IETF!
>
> Alternately, if you don't use a "combined mode" like EAX, then you
> should follow the "generic composition" cookbook from Bellare and
> Rogaway [1, 2].
>
> Next time I do something like this for fun, I'll abandon AES entirely
> (whee! how exciting) and try Helix [3]. Also, I printed out this
> intriguing document yesterday [4]. Haven't read it yet. It focusses on
> higher-layer stuff -- freshness and sequencing.
> Feel free to post to metzcrypt and give me credit for bringing the
> following four URLs to your attention.
>
> [1] http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm#alternatives
> [2] http://www.cs.ucsd.edu/users/mihir/papers/oem.html
> [3] http://citeseer.ist.psu.edu/561058.html
> [4] http://citeseer.ist.psu.edu/661955.html
>
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list