Looks like Google ships OCB mode with Android: https://android.googlesource.com/platform/system/keymaster/+/master/ocb.c …
Is OCB supported by BoringSSL now, @agl__?
-
-
Isn’t OCB still patented?
1 reply 0 retweets 0 likes -
It's licensed for use in OpenSSL: http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm … There is a specific call-out for non-military use...
2 replies 0 retweets 0 likes -
Alright. The situation is still the same, then :( Not a mode I can use in sodium anytime soon.
2 replies 0 retweets 1 like -
Have you asked Phil Rogaway?
1 reply 0 retweets 0 likes -
I've not asked for a license. I think your OCB vs GCM numbers are dated given AES-NI in recent Intel chips.
3 replies 0 retweets 0 likes -
Indeed. AES-GCM on AES-NI is ~ 2.4 cpb on an Intel Core i7 3770.
1 reply 0 retweets 0 likes -
AESNI-GCM should be 1 cycle/byte on Haswell: http://2013.diac.cr.yp.to/slides/gueron.pdf …
1 reply 0 retweets 1 like -
Unfortunately Shay didn't continue that graph, but I think the GCM vs OCB delta continues to drop in recent cores.
3 replies 0 retweets 0 likes -
I hear AES-GCM has significant side channel leakage problems. Am I ok to recommend this to developers?
3 replies 0 retweets 0 likes
Only on software implementations.
-
-
AESNI-GCM is good because Intel has side-channel resistant CLMUL instructions. Otherwise it's impl dependent.
0 replies 1 retweet 2 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.