"When using GCM [...], you have access to the decrypted data immediately, but don’t know if it’s valid until you get all of the ciphertext."
@Myriachan @whitequark GCM is already authenticated, so no need to HMAC. But yeah you can break up ciphertexts into chunks...
-
-
@bascule@whitequark How expensive is F(2^n) multiplication without the very recent x86 instruction to do it? Wondering how expensive GCM is -
@Myriachan@whitequark GCM is both slow and difficult to implement in constant time without CLMUL -
@bascule@whitequark Eww, yes, that'd get nasty if your situation cares about avoiding timing or caching subchannel attacks >.<
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.