Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Tue, 07 October 2014 16:54 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D16AD1ACE7D for <cfrg@ietfa.amsl.com>; Tue, 7 Oct 2014 09:54:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXNjGUFCRZjh for <cfrg@ietfa.amsl.com>; Tue, 7 Oct 2014 09:54:44 -0700 (PDT)
Received: from emh07.mail.saunalahti.fi (emh07.mail.saunalahti.fi [62.142.5.117]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD2D31ACE7E for <cfrg@irtf.org>; Tue, 7 Oct 2014 09:54:43 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh07.mail.saunalahti.fi (Postfix) with ESMTP id DCC183FC2; Tue, 7 Oct 2014 19:54:40 +0300 (EEST)
Date: Tue, 7 Oct 2014 19:54:39 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: James Cloos <cloos@jhcloos.com>
Message-ID: <20141007165439.GA28933@LK-Perkele-VII>
References: <542D48CD.9060404@isode.com> <m3k34clwkt.fsf@carbon.jhcloos.org> <CAJU7za+itdW8Orc5PiFvBq3k2fziewu=QpZL7aag69fZn5L_Xg@mail.gmail.com> <m37g0ckodk.fsf@carbon.jhcloos.org> <5433F28C.9060501@elzevir.fr> <m31tqkkli8.fsf@carbon.jhcloos.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <m31tqkkli8.fsf@carbon.jhcloos.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Wg23v12W3gM2rkGaEZoNorzhnOU
Cc: Manuel =?utf-8?B?UMOpZ291cmnDqS1Hb25uYXJk?= <mpg@elzevir.fr>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] RGLC on draft-irtf-cfrg-chacha20-poly1305-01.txt
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Oct 2014 16:54:48 -0000

On Tue, Oct 07, 2014 at 10:22:23AM -0400, James Cloos wrote:
> 
> Dan's paper on aes/poly1305 makes it look like a better choice than gcm,
> at least.  Maybe also better than ccm, et alia.

Depends.

Poly1305 should be faster than CCM and unaccelerated GCM (plus that one
is really nasty to implement without side channels out the wazoo). HW-
accelerated GCM is faster and simpler than poly1305.

There are some platforms that do have HW AES but no HW GCM. But those
are fairly rare. AES/Poly1305 would be useful on such.

Some other things:
- GCM and original Poly1305(-AES) reuse R (this AEAD construct doesn't).
- Poly1305 is independent of encryption blocksize, whereas GCM is for
  128-bit ciphers only (it could be generalized to other sizes, but IIRC,
  it slows down as blocksize increases).


-Ilari