So these days I see everyone using AES-GCM. What are its advantages over simple CTR+HMAC modes? Is it speed? Or ciphertext length? And what are the security tradeoffs, both in terms of practical cryptanalysis and theoretical attacks complexity?
Asked
Active
Viewed 1.3k times
1 Answers
13
AES-GCM uses single block cipher operation and can be processed in parallel, therefore it should be faster.
CTR+HMAC requires block cipher and hash function, which usually can't be processed in parallel. Also it requires 2 keys. It is often miss-implemented (MAC-then-encrypt or MAC-and-encrypt, using single key).
Cipher-text length is the same for same security level. However CTR+HMAC usually has a longer tag, because hash functions have bigger output than block ciphers, but you can truncate tags to the same length.
If implemented correctly and the block cipher / hash function is secure, both are secure. However, because CTR+HMAC has 2 keys compromising one part won't compromise the other part.
