[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

jrzx jrzx at protonmail.ch
Sun Feb 14 22:58:08 EST 2021

On Sunday, February 14, 2021 7:51 PM, Christian Huitema <huitema at huitema.net> wrote:

> I wrote "forcing a key rotation after 2^26 packets for AES-GCM". Did not mention ChaCha20-Poly1035. Per https://datatracker.ietf.org/doc/draft-ietf-quic-tls/, this is only a requirement for AES-GCM, not ChaCha20-Poly1035

The stream cipher AES-GCM is impossible for mortals to get right, and I would not attempt to do so.

But the stream ciphers ChaCha20 and XChaCha20 seem to me to be as easy as falling off a log.

Not all stream ciphers should be tarred with the same brush.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210215/fd672201/attachment.htm>

More information about the cryptography mailing list