Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06
Andy Polyakov <appro@openssl.org> Mon, 18 September 2017 22:33 UTC
Return-Path: <appro@openssl.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A00681342EB for <cfrg@ietfa.amsl.com>; Mon, 18 Sep 2017 15:33:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q4vIh5nX8uI8 for <cfrg@ietfa.amsl.com>; Mon, 18 Sep 2017 15:33:34 -0700 (PDT)
Received: from mta.openssl.org (mta.openssl.org [194.97.150.230]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A34B1342E8 for <cfrg@irtf.org>; Mon, 18 Sep 2017 15:33:33 -0700 (PDT)
Received: from [127.0.0.1] (localhost [IPv6:::1]) by mta.openssl.org (Postfix) with ESMTP id EA165E038F; Mon, 18 Sep 2017 22:33:29 +0000 (UTC)
To: Adam Langley <agl@imperialviolet.org>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
References: <EA4347BF-D26F-4303-9A8D-E7B28986DE56@isode.com> <71d10985-4c46-4a7c-e634-76a822102a61@openssl.org> <CAMfhd9XLGowg+VtKMxt2owQjmXjedY7V0GLh_cKVu+6WfyquVQ@mail.gmail.com>
From: Andy Polyakov <appro@openssl.org>
Message-ID: <d12cad69-411d-132a-ffe6-91850a1e03b1@openssl.org>
Date: Tue, 19 Sep 2017 00:33:34 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <CAMfhd9XLGowg+VtKMxt2owQjmXjedY7V0GLh_cKVu+6WfyquVQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/2Y_XFMYESeCjPQhK2E07rB0tIWY>
Subject: Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Sep 2017 22:33:37 -0000
>> Well, it's not like I actually reject the sentiment to favour >> little-endian platform[s], question rather is if *mode* specification is >> right place for it. Protocols are about *communication* and there are >> more factors in play, most notably using already available primitives >> would facilitate adoption. And if little-endian-centric primitives are >> deemed desirable, wouldn't it be more appropriate to define them >> separately to promote modularity and re-usability? > > Anyone who has implemented GHASH has had to wrestle with the > specification's handling of bit ordering, it's confusing beyond > questions of little- vs big-endian. As mentioned in 1st message, it's all about what you bit-flip, polynomial or input. Or rather how you view polynomial. If GCM specification is considered confusing (I'm not saying that it isn't), then why not address *that*? By re-specifying it with bit-flipped polynomial? > But it's also the case that little-endian machines now dominate. It's > nice that some big cores can largely hide the cost of doing the byte > swap, but hiding work is not the same as avoiding it (as your Skylake > numbers show) and smaller cores may not be able to do the > out-of-order, superscalar magic needed. The assertion that 20% improvement is rather anomaly than rule has lesser to do with cores being "little" or "big". And I feel that logic is getting twisted here. "Big" cores are considered to be more likely to amortize additional cost of byte swap, right? Skylake is "big" core and it does have computational resources to do so. And fails miserably. > POLYVAL is GHASH done right > for the world as we find it. Then let's say exactly that. Let's specify it as re-usable primitive. Does it actually have to be interwoven into *this* or *any* specific mode specification? > As for diversity: that's a cost. Although it's smaller here than in > many cases. Where the diversity costs really bubble up is when they > spread up the stack and we have, say, RSA-with-SHAKE128 to test and > validate everywhere. I don't quite follow. This is rather argument against introducing new primitives. Because as far as testing and validation goes, there is no difference between these cases. I mean you get more to test in both cases. But it would be less to test and validate if suggested mode used existing primitives. > I think the diversity cost of AES-GCM-SIV is > concentrated in its very existence (i.e. that it's not AES-GCM). For > cases where AES-GCM-SIV isn't being written as a stitched asm blob > (where the full implementation cost of either POLYVAL or GHASH is be > paid anyway). BoringSSL uses the mapping to GHASH to avoid another> implementation, as specified in the draft. I sense contradiction here. It's argued that alternative primitives provide better performance. But attaining acclaimed performance *will* take dedicated modules, i.e. significantly increase diversity. Even without stitched implementation. If expectation is that majority will take easy way out (perform byte swapping of GHASH input and output, and build modified CTR with signle-block cipher subroutine), then question about alternative primitives being well justified becomes even more acute... [On side note, as for stitched implementation, core function in aesni-gcm-x86_64.pl should be reusable if GHASH and standard CTR were used.] Cheers.
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Paterson, Kenny
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Yehuda Lindell
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Stefano Tessaro
- [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06 Alexey Melnikov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Ted Krovetz
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Watson Ladd
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Adam Langley
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Shay Gueron
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Shay Gueron
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Stefano Tessaro