[Cryptography] Suite B after today's news

Jon Callas jon at callas.org
Fri Sep 6 20:11:02 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Sep 6, 2013, at 11:41 AM, "Jack Lloyd" <lloyd at randombit.net> wrote:

> 
>> I think that any of OCB, CCM, or EAX are preferable from a security
>> standpoint, but none of them parallelize as well. If you want to do
>> a lot of encrypted and authenticated high-speed link encryption,
>> well, there is likely no other answer. It's GCM or nothing.
> 
> OCB parallelizes very well in software and I see no reason it would
> not also do so in hardware; each block of both the plaintext and
> associated data can be processed independently of the others, and all
> of OCB's operations (xor, GF(2^128) doubling, Grey codes) seem like
> they would be well suited to a fast hardware implementation. And
> actually McGrew and Viega's original 2003 paper on GCM specifically
> mentions that OCB "scales to high speeds in hardware", though they do
> not provide references to specific results.


I confess that I might not explain very well a controversy that I lie on a different side of -- I'm using CCM, myself. 

My above explanation is what GCM proponents have told me -- that if you are doing multiple high-speed streams and have hardware you can throw at it, then it's what you want. 

There is/was an additional OCB issue specifically that there is/was IP around it. Univ. of California has recently relaxed them, but it's still needlessly complex. I confess I tend to think of OCB as a footnote -- the cool thing we can't use -- only.

My decision tree is that I think in a perfect world, one would use OCB, but the IP nixes it. CCM was created specifically because it's not OCB, and EAX as an alternative to the alternative CCM. GCM is too easy to screw up and is slow in software (yes, there's galois multiply on Intel processors, but most of what I do is ARM). There's nothing wrong with EAX, but CCM is there and standardized in a number of places. Other people might end up with a different place for their own reasons. I don't think that any of them are bad, including the decision of using GCM and just making sure you do it right.

	Jon



-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFSKm8XsTedWZOD3gYRAjUuAKC2sqp6C0wCrg+KydfhroBjYahqjwCgo+4d
tLx/6e9TaWxRuknLWHEvF5w=
=M7s8
-----END PGP SIGNATURE-----


More information about the cryptography mailing list