On Mon, 30 Dec 2013, James Cloos wrote: > When testing chacha20-poly1305, I noticed that aes-gcm is significantly > faster than aes-ctr or aes-cbs with umac. Even on systems w/o aes-ni > or other recent instruction set additions. > > And there seems to be consensus in the crypto community that AEAD > ciphers are the way forward. Lots of cryptographers also think that AES-GCM is fiendishly difficult to get right, especially wrt timing leaks. That, and it's relative newness in OpenSSH are the reasons it is not the default. -d
