[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Feb 14 20:57:49 EST 2021

Christian Huitema <huitema at huitema.net> writes:

>Please enlighten me, Peter. I see AES-GSM (and ChaCha20-Poly1035) as the two
>options used to secure QUIC packets. The common knowledge is that this is
>fine as long as a three conditions hold: a different Nonce is used for each
>packet, which in QUIC is done by XORing a secret-dependent IV with the 64 bit
>packet sequence number; the amount of data encrypted with the same key is
>limited, which in QUIC is done by forcing a key rotation after 2^26 packets
>for AES- GCM; and the number of decryption errors for the same master secret
>does not exceed some limit (2^26, I believe).

I'm going to have to invoke Poe's Law here and ask: Are you making a point via
satire, or are you serious here?  Given that's it's taken eight lines of
incomprehensible-to-normal-humans cryptobabble to explain why it's easy to get
right, I assume the former?

(I've never met you in person so I don't know what your sense of humour is
like; if I'd written that it would be meant as satire).


More information about the cryptography mailing list