[openssl-dev] Circumstances cause CBC often to be preferred over GCM modes
Yoav Nir
ynir.ietf at gmail.com
Tue Dec 16 19:48:53 UTC 2014
> On Dec 16, 2014, at 7:28 PM, Hanno Böck <hanno at hboeck.de> wrote:
>
> On Tue, 16 Dec 2014 17:17:01 +0000
> Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>
>> However, where do we fit ChaCha20/Poly-1305? Again, not
>> hand-placement, but some extensible algorithm.
>
> How about this simpler criterion:
> AEAD always beats non-AEAD. GCM and poly1305 are both AEAD. Done with
> it.
>
> (this doesn't answer whether chacha20-poly1305 or aes-gcm should be
> considered "better", but I don't know if there is a clear consensus on
> that)
Agree about AEAD before non-AEAD. As for ChaCha20 vs AES-GCM, as long as we don’t have evidence that on is significantly weaker than the other, I don’t think preferences should depend on security arguments, but on performance. Unfortunately , this is difficult to determine, because AES-GCM is faster on modern Intel processors, but slower on older processors and on ARM. It really depends on the application which is preferable.
If we don’t want preference to be user-determined, I guess AES-GCM is more likely to be the preferred cipher for most servers.
Yoav
More information about the openssl-dev
mailing list