[16298] in cryptography@c2.net mail archive
Re: AES Modes
daemon@ATHENA.MIT.EDU (Ian Grigg)
Mon Oct 11 11:58:42 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 11 Oct 2004 13:08:13 +0100
From: Ian Grigg <iang@systemics.com>
To: Metzdowd Crypto <cryptography@metzdowd.com>
Cc: "Zooko Wilcox-O'Hearn" <zooko@zooko.com>
In-Reply-To: <FFB7C71E-1B6C-11D9-A873-000A95E2A184@zooko.com>
Zooko provided a bunch of useful comments in private mail,
which I've edited and forward for list consumption.
Zooko Wilcox-O'Hearn wrote:
> EAX is in the same class as CCM. I think its slightly better. Also
> there is GCM mode, which is perhaps a tiny bit faster, although maybe
> not if you have to re-key every datagram. Not sure about the
> key-agility of these.
>
> ... I guess the IPv6 sec project has already specified such a thing in
> detail. I'm not familiar with their solution.
>
> If you really want interop and wide adoption, then the obvious thing to
> do is backport IPsec to IPv4. Nobody can resist the authority of IETF!
>
> Alternately, if you don't use a "combined mode" like EAX, then you
> should follow the "generic composition" cookbook from Bellare and
> Rogaway [1, 2].
>
> Next time I do something like this for fun, I'll abandon AES entirely
> (whee! how exciting) and try Helix [3]. Also, I printed out this
> intriguing document yesterday [4]. Haven't read it yet. It focusses on
> higher-layer stuff -- freshness and sequencing.
> Feel free to post to metzcrypt and give me credit for bringing the
> following four URLs to your attention.
>
> [1] http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm#alternatives
> [2] http://www.cs.ucsd.edu/users/mihir/papers/oem.html
> [3] http://citeseer.ist.psu.edu/561058.html
> [4] http://citeseer.ist.psu.edu/661955.html
>
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
