Why AES-GCM Sucks

If you’re reading this wondering if you should stop using AES-GCM in some standard protocol (TLS 1.3), the short answer is “No, you’re fine”. I specialize in secure implementations of cryptography, and my years of experience in this field have led me to dislike AES-GCM. This post is about why I dislike AES-GCM’s design, not […]