[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

Jon Callas jon at callas.org
Sat Feb 13 17:39:36 EST 2021

> On Feb 11, 2021, at 9:16 AM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:


> Well no, not when GCM turns AES into a stream cipher. If I can get 2^48 packets, I can start decrypting some. This seems like playing a shell game in which a really strong cipher got bartered down to a weak one. 2^48 packets is a lot of data but it is well below the 2^128 work factor I am designing to. 

My apologies for being pedantic, but it's Counter Mode that makes GCM a stream cipher. GCM is a CTR stream cipher combined with GHash to get you the integrity bits to make it an AEAD.

Other AEAD stream ciphers are around, including CCM, EAX, and even good-old HMAC on the end.

> So I see two possible options here:
> 1) Cheap means of rotating the key on every use.
> 2) Use KDF
> 3) Move to OCB3 which is not a stream cipher.

Use OCB. It's faster and more secure than GCM. It's also now free of all patent issues. I talked to Phil Rogaway about it earlier in the year, when I used it for a project. Email me off-list if you want more details.


More information about the cryptography mailing list