[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

jrzx jrzx at protonmail.ch
Sun Feb 14 23:17:23 EST 2021

On Sunday, February 14, 2021 2:15 PM, Phillip Hallam-Baker <phill at hallambaker.com> wrote:

> I guess at some point I need to do some benchmarking to look at alternative strategies. But the more I look at things, the more I start to think that maybe we should consider 1GB about the limit of what we should ever want to encrypt as a single chunk. Sure, I have 56TB of disk just installed this week and some of those files are larger than 1GB. But if there is an error, I probably want a bit more information than 'something is wrong in this 1TB of data'. And yes, I am saying that after designing the packaging format so that it supports data blobs of 2^64 bytes in length.

ChaCha20 is good for 2^64 512 bit packets till you have to change the nonce, and XChaCha20 is good for 2^96 512 bit packets before you have to change the nonce. (because it increments the low order sixty four bits of the 96 bit nonce every 2^32 packets)

In XChaCha20, your nonce and your packet position are just the overlapping higher order and low order parts of the same 128 bit position value. The nonce is your packet position, and the packet position is your nonce.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210215/c19981d0/attachment.htm>

More information about the cryptography mailing list