[mosh-devel] Why OCB mode?

[Wen Li]

What is your justification for using patented software (OCB mode) when
many patent-free alternatives are available? The de-facto standard now
is Galois/Counter (GCM) mode, which provides numerous advantages.

- GCM is patent-free
- Using OCB forces you to license Mosh under the GNU GPL (due to the
author's license), but using GCM will allow you to use any license you
want.
- GCM requires less binary size, because it only uses AES in encrypt
mode while OCB uses both encrypt and decrypt mode.
- GCM provides similar performance to OCB and is faster in software
for very small packets (which is probably applicable to Mosh)
- Most studies show that GCM would be far faster in hardware for the same cost
- GCM allows you to have additional authenticated data (AAD) that
exceeds the block cipher length, unlike OCB
- GCM can be used as a standalone MAC, unlike OCB
- GCM is certified by the NSA and used in TLS, SSH, future 802.11ac,
etc. OCB does not have widespread use/certification and probably not
the same amount of analysis.

Personally, I would not adopt your software for fear of getting sued
for patent infringement. The author of OCB (Phillip Rogaway) has made
it clear that he intends to make full profit off his patent, which has
blocked OCB from various standards. This is despite the fact that it
provides no real advantages over GCM.