-
-
-
- 1 more reply
New conversation -
-
-
@jedisct1 plain AES-GCM is already limited to 2³⁶-32 bytes under the same key/IV, so this restriction doesn’t change much. -
@jedisct1 I mean, people already should re-key their AEADs, so they’ll continue doing so. - 3 more replies
New conversation -
-
-
@CiPHPerCoder@jedisct1 Also: I object to the idea that we should wait to improve things until 2018 because of a contest. -
- 3 more replies
New conversation -
-
-
@CiPHPerCoder@jedisct1 No, it’s not. SIV is well understood, GCM is well-understood, and GCM-SIV does something very few other AEADs do. -
New conversation -
-
-
@FunnyWalkingMan
@CiPHPerCoder@jedisct1 If you don’t have hardware support (like CLMUL) for carryless mult, fast GCM needs lookup tables. -
@FunnyWalkingMan
@CiPHPerCoder@jedisct1 In 2016 we assume (correctly) any lookup table with secret lookup keys is a side channel. - 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.