[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

John-Mark Gurney jmg at funkthat.com
Tue Feb 16 18:58:31 EST 2021

Paul Wouters wrote this message on Tue, Feb 16, 2021 at 14:37 -0500:
> On Sat, 13 Feb 2021, Jon Callas wrote:
> > Use OCB. It's faster and more secure than GCM. It's also now free of all patent issues. I talked to Phil Rogaway about it earlier in the year
> It would be useful if Rogaway could make a public statement somewhere on
> this, because as far as I can see, it is still not allowed for IKE/IPsec
> based on the latest public information I have.

Looks like it's free for any open source and non-military use:

Or you use OpenSSL for millitary use to get around License 2's

> side note: with ghash in hardware, is OCB still faster than GCM?

  John-Mark Gurney				Voice: +1 415 225 5579

     "All that I will do, has been done, All that I have, has not."

More information about the cryptography mailing list