[mosh-devel] Block cipher's mode of operation

Keith Winstein keithw at MIT.EDU
Thu Sep 20 01:07:48 EDT 2012

Hello Nicolas,

The main reason we chose OCB was deployability -- GCM was not
implemented in a released version of OpenSSL until after Mosh 1.0 came
out, and most of our current userbase is not running on a platform
that has a recent enough OpenSSL. So we'd have to ship our own GCM
somehow. OCB implementation is well-contained and easy to use.

Encryption speed obviously isn't of primary concern for Mosh, although
for what it's worth the OCB guys claim they are way faster.
(www.cs.ucdavis.edu/~rogaway/papers/ae.pdf) We have no dog in that
fight though.

Best regards, and thanks for using Mosh,

On Tue, Sep 18, 2012 at 3:03 PM, Nicolas Braud-Santoni
<nicolas at braud-santoni.eu> wrote:
> Hello,
> I noticed that neither the USENIX paper nor the website motivates the
> choice of OCB as an authenticated mode of operation.
> More specifically, why OCB, a patent-encumbered mode (although with an
> exception for GPL code), was chosen over GCM, which is significantly
> faster, non-patented, and has similar security guarantees ?
> Regards,
> _______________________________________________
> mosh-devel mailing list
> mosh-devel at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mosh-devel

More information about the mosh-devel mailing list