[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

Paul Wouters paul at cypherpunks.ca
Tue Feb 16 14:37:42 EST 2021

On Sat, 13 Feb 2021, Jon Callas wrote:

> Use OCB. It's faster and more secure than GCM. It's also now free of all patent issues. I talked to Phil Rogaway about it earlier in the year

It would be useful if Rogaway could make a public statement somewhere on
this, because as far as I can see, it is still not allowed for IKE/IPsec
based on the latest public information I have.

side note: with ghash in hardware, is OCB still faster than GCM?


More information about the cryptography mailing list