Hi. Of course by 'ciphers', I meant 'cipher modes'.
Everybody know CTR is easy to parallelize and easy to understand implement, but these days OCB, (still pattented?) or GCM are probably preffered. CCM is another options - http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/ccm/ccm.pdf The authentication stages need to be serialized in most of these modes, but still most of the work can be parallelized, and if authentication stage is faster than encryption, it should not be a bottlneck for performance. Good to see some people are looking into it. Would be nice to have realistic optimized implementations for different machines / archs / core counts and see how they perform. In the end it is better to implement only one, to make alternative implementations easier to writes and review, and lower the complexity and attack surface. I cannot really discuss much on legal side of different modes, or their security properties. I will leave that to smarter people than me. Thanks. 2016-12-21 16:31 GMT+01:00 Boyan Penkov <boyan.pen...@gmail.com>: > > > On 12/21/2016 10:25 AM, Werner Koch wrote: > > On Wed, 21 Dec 2016 14:33, boyan.pen...@gmail.com said: > > > >> Is this straighforward? What changes should I make to gpg.conf to give > >> this a shot? > > You need to convince the OpenPGP WG that OCB is the way forward. The > > prefer other and slower modes due to patents on PCB. > > Aha, I see... ;) I am indeed rather new to GPG.... > > Regardless, thanks for all your work! > > > However, these > > patents are freely licensed to basically all software. And then we need > > to implement this in GnuPG... > > > > > > Shalom-Salam, > > > > Werner > > > > -- > > Boyan Penkov > www.boyanpenkov.com > > >
