[cryptography] "Combined" cipher modes
coderman at gmail.com
Tue Apr 3 14:37:48 EDT 2012
On Tue, Apr 3, 2012 at 6:35 AM, ianG <iang at iang.org> wrote:
> To tip my hand here somewhat I'm thinking of GCM.
> (Digression.) Now, this thread was useful to me because I started reading
> up on new modes and so forth, and combined that with my past experiences.
> What I wanted was a fast AES mode coupled with a heavyweight keyed CRC for
> opportunistic/DOS protection.
> Hey presto - GCM is that! (I think, haven't finished reading yet.) If you
> look at the formula for Galois, it is basically a CRC expanded out to 128
> bits. Perfect! Fast!
more reasons to love GCM: easily pipelined and parallelized. Intel has
PCLMULQDQ on die now. not patent encumbered.
i often wonder why adoption is so slow. (cryptographers are
conservative, they say)
> When Zooko and I designed the random||counter||time construct
> it is because we knew that some or many servers could get into a
> pathological mode w.r.t. entropy. And saying "have good entropy" is like
> telling teenaged girls not to hang around teenaged boys.
regarding the crypto cracking rumors around the new NSA datacenter
this seems a much more likely target. bad entropy by mistake or
malfeasance, it is a problem everywhere.
More information about the cryptography