[Cryptography] AES GCM insecure vs OCB1/OCB3 ??
jon at callas.org
Tue Feb 16 21:17:39 EST 2021
> On Feb 16, 2021, at 11:37 AM, Paul Wouters <paul at cypherpunks.ca> wrote:
> On Sat, 13 Feb 2021, Jon Callas wrote:
>> Use OCB. It's faster and more secure than GCM. It's also now free of all patent issues. I talked to Phil Rogaway about it earlier in the year
> It would be useful if Rogaway could make a public statement somewhere on
> this, because as far as I can see, it is still not allowed for IKE/IPsec
> based on the latest public information I have.
Yeah, it would.
The deal, which is publicly verifiable from the PTO, is that he stopped paying the PTO upkeep fee, and so the patents are all now abandoned. I wrote him because I went to the PTO to check on expiry dates and saw that and thought "huh?" about it. He verified that it was intentional as a way to put the matter to bed without license games.
> side note: with ghash in hardware, is OCB still faster than GCM?
I think so, because OCB is using AES in hardware.
More information about the cryptography