Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06
Andy Polyakov <appro@openssl.org> Wed, 27 September 2017 21:50 UTC
Return-Path: <appro@openssl.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF1713306A for <cfrg@ietfa.amsl.com>; Wed, 27 Sep 2017 14:50:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.001
X-Spam-Level:
X-Spam-Status: No, score=-5.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vo6ckIcZlUbq for <cfrg@ietfa.amsl.com>; Wed, 27 Sep 2017 14:50:29 -0700 (PDT)
Received: from mta.openssl.org (xmpp.openssl.org [IPv6:2001:608:c00:180::1:e6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5824A13445E for <cfrg@irtf.org>; Wed, 27 Sep 2017 14:50:29 -0700 (PDT)
Received: from [127.0.0.1] (localhost [IPv6:::1]) by mta.openssl.org (Postfix) with ESMTP id C703BE1124; Wed, 27 Sep 2017 21:50:25 +0000 (UTC)
From: Andy Polyakov <appro@openssl.org>
To: "cfrg@irtf.org" <cfrg@irtf.org>
References: <EA4347BF-D26F-4303-9A8D-E7B28986DE56@isode.com> <71d10985-4c46-4a7c-e634-76a822102a61@openssl.org> <CACsn0cnSq9nJpdjpDQ-HpHX7i6W-0=JkCOB-WenBRoMSKO9ypA@mail.gmail.com> <b751593d-20bb-8914-de96-e9040080e15d@openssl.org> <CAHP81y_CUTvA9Ftqz0Q_qzs94iPddW+4g5ObhzruNKR5zaEPvw@mail.gmail.com> <46eaa04f-09ef-3f11-4729-dfeec1b1cf60@openssl.org> <CAHP81y-bNDvF9_tQZO0BvrCqPU=Wa71PyraiRm39oh1bJo0sWw@mail.gmail.com> <3b106ff6-373c-eb5c-c8a8-98cc4a5060ce@openssl.org>
Message-ID: <58eef027-be2d-afc6-86b9-d8688b2e7351@openssl.org>
Date: Wed, 27 Sep 2017 23:50:25 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <3b106ff6-373c-eb5c-c8a8-98cc4a5060ce@openssl.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/y0z0JOaRWmE3SWM81UnmOhNLRt8>
Subject: Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Sep 2017 21:50:31 -0000
>>>>> do we all agree that "consistency" is sufficient by its own? >> >> To me, a clean and consistent specification has value. > > I don't deny its value, question was it is sufficient [to justify > additional implementation/diversity costs]. It's obvious that more natural bit order in POLYVAL was not the goal by itself. Performance on par with GCM also was. And not just any GCM performance, but one assisted by AES-NI and PCLMULQDQ instructions or their equivalents. Next thing to understand is that referred GCM performance is achieved by optimizing for specific cases, CTR and GHASH, and in x86_64 case even stitched CTR-GHASH. And keyword is "specific cases". Draft in question asserts that suggested mode decrypt performance is virtually equivalent to GCM, but fails to emphasize that this holds true only provided that one has devoted equivalent effort into optimizing code for specific cases of modified CTR and POLYVAL. Because if one doesn't do that and takes "easy way out" by exploiting byte order equivalence with GHASH and modified CTR relying on single-block encrypt, performance impact would be devastating, up to several *times*. On the other hand if mode was specified using GHASH and standard CTR, as already discussed, difference would be none to negligible [in non-anomalous cases]. >>>>> those who choose "easy way out". >>>>> because they have dedicated GHASH hardware. >> As Adam had mentioned, adding AES-GCM-SIV (to gain misuse resistance) >> has its cost anyway, > > Yes, and assertion is that it could have been *lower* if it was > formulated with GHASH and standard CTR. Because it would be limited to ordering calls to existing GHASH and CTR. Cheers.
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Paterson, Kenny
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Yehuda Lindell
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Stefano Tessaro
- [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv-06 Alexey Melnikov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Blumenthal, Uri - 0553 - MITLL
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Ted Krovetz
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Watson Ladd
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Adam Langley
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Shay Gueron
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Shay Gueron
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Andy Polyakov
- Re: [Cfrg] RG Last Call on draft-irtf-cfrg-gcmsiv… Stefano Tessaro