[cryptography] "Combined" cipher modes

coderman coderman at gmail.com
Tue Apr 3 14:37:48 EDT 2012

On Tue, Apr 3, 2012 at 6:35 AM, ianG <iang at iang.org> wrote:
> ...
> To tip my hand here somewhat I'm thinking of GCM.
> (Digression.)  Now, this thread was useful to me because I started reading
> up on new modes and so forth, and combined that with my past experiences.
>  What I wanted was a fast AES mode coupled with a heavyweight keyed CRC for
> opportunistic/DOS protection.
> Hey presto - GCM is that!  (I think, haven't finished reading yet.)  If you
> look at the formula for Galois, it is basically a CRC expanded out to 128
> bits.  Perfect!  Fast!

more reasons to love GCM: easily pipelined and parallelized. Intel has
PCLMULQDQ on die now. not patent encumbered.

i often wonder why adoption is so slow. (cryptographers are
conservative, they say)

> When Zooko and I designed the random||counter||time construct
> it is because we knew that some or many servers could get into a
> pathological mode w.r.t. entropy.  And saying "have good entropy" is like
> telling teenaged girls not to hang around teenaged boys.


regarding the crypto cracking rumors around the new NSA datacenter
this seems a much more likely target. bad entropy by mistake or
malfeasance, it is a problem everywhere.

More information about the cryptography mailing list