[Cryptography] AES GCM insecure vs OCB1/OCB3 ??
paul at cypherpunks.ca
Tue Feb 16 14:37:42 EST 2021
On Sat, 13 Feb 2021, Jon Callas wrote:
> Use OCB. It's faster and more secure than GCM. It's also now free of all patent issues. I talked to Phil Rogaway about it earlier in the year
It would be useful if Rogaway could make a public statement somewhere on
this, because as far as I can see, it is still not allowed for IKE/IPsec
based on the latest public information I have.
side note: with ghash in hardware, is OCB still faster than GCM?
More information about the cryptography