Support for GCM and CTR planned any time soon?

58 views
Skip to first unread message

Hans B

unread,
Oct 18, 2015, 5:48:35 PM10/18/15
to Keyczar Discuss
Hi,
are there any plans to support CTR and GCM modes? CTR can be soo much faster than CBC. And GCM can be soo much safer than CBC. (not saying that your implementation is not safe)

I have seen questions relating to this in the past, with reply type "should be easy to add", but as far as I can tell, there is still no support for that.
The reply is still the same? Am I safe to assume in that case that the reply in reality means: "no, never"?

Come on guys, GCM has a good reputation.

Shawn Willden

unread,
Oct 20, 2015, 10:42:22 AM10/20/15
to Keyczar Discuss
GCM is okay, but I don't like how badly it breaks when tags are too short.

If we were to add a dedicated AEAD mode (which would be good), I'd rather use OCB.

--
You received this message because you are subscribed to the Google Groups "Keyczar Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keyczar-discu...@googlegroups.com.
To post to this group, send email to keyczar...@googlegroups.com.
Visit this group at http://groups.google.com/group/keyczar-discuss.
For more options, visit https://groups.google.com/d/optout.
--
Shawn Willden | Software Engineer | swil...@google.com | 303-709-2258

devin lundberg

unread,
Oct 20, 2015, 11:59:11 AM10/20/15
to keyczar...@googlegroups.com
Another problem I encountered with implementing GCM is python support. pycrypto only supports aes gcm in an alpha release and I don't think m2crypto exposes relevant openssl gcm calls in any release (would also depend on underlying version of openssl).

If we were to use GCM, we would definitely need 128 bit tags. At this point you would only get into the upper bound of a practical authentication attack (~78 bits security) with petabytes of data under the same authentication key [http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf]. This attack does leak authentication key information which makes it even worse.

OCB is not widely supported at all and would be tough to implement (also not sure about the weird patent around it).


Shawn Willden

unread,
Oct 20, 2015, 12:06:13 PM10/20/15
to keyczar...@googlegroups.com
There's a blanket license for OCB for open source implementations, so that's not an issue. I haven't looked at how to implement it for Python or Java. That might be a fun weekend project, once winter sets in and my other ongoing weekend projects are no longer possible.
Reply all
Reply to author
Forward
0 new messages