@bascule @whitequark Is HMAC on each packet + counter the way to go?
-
-
-
@Myriachan@whitequark GCM is already authenticated, so no need to HMAC. But yeah you can break up ciphertexts into chunks... -
@bascule@whitequark How expensive is F(2^n) multiplication without the very recent x86 instruction to do it? Wondering how expensive GCM is -
@Myriachan@whitequark GCM is both slow and difficult to implement in constant time without CLMUL -
@bascule@whitequark Eww, yes, that'd get nasty if your situation cares about avoiding timing or caching subchannel attacks >.<
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.