[Cryptography] AES GCM insecure vs OCB1/OCB3 ??

Jon Callas jon at callas.org
Tue Feb 16 21:17:39 EST 2021

> On Feb 16, 2021, at 11:37 AM, Paul Wouters <paul at cypherpunks.ca> wrote:
> On Sat, 13 Feb 2021, Jon Callas wrote:
>> Use OCB. It's faster and more secure than GCM. It's also now free of all patent issues. I talked to Phil Rogaway about it earlier in the year
> It would be useful if Rogaway could make a public statement somewhere on
> this, because as far as I can see, it is still not allowed for IKE/IPsec
> based on the latest public information I have.

Yeah, it would.

The deal, which is publicly verifiable from the PTO, is that he stopped paying the PTO upkeep fee, and so the patents are all now abandoned. I wrote him because I went to the PTO to check on expiry dates and saw that and thought "huh?" about it. He verified that it was intentional as a way to put the matter to bed without license games.

> side note: with ghash in hardware, is OCB still faster than GCM?

I think so, because OCB is using AES in hardware.


More information about the cryptography mailing list