Re: [quicwg/base-drafts] Encrypting Retry token (#3274)

Martin Thomson <> Wed, 27 November 2019 23:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2DEEE120AF7 for <>; Wed, 27 Nov 2019 15:26:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.382
X-Spam-Status: No, score=-6.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kbZVS1NTQ0eg for <>; Wed, 27 Nov 2019 15:26:14 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A18501200B7 for <>; Wed, 27 Nov 2019 15:26:14 -0800 (PST)
Date: Wed, 27 Nov 2019 15:26:13 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1574897173; bh=oERDUW6SAb1+J8nxi5Do7HSLs7avoXf2DlPvZFMoYfA=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=GILGKY0/zZ2jFigD1/nQGd2yiAZl6sA2thzncmC5dXvttl1Nra8MteSNo5QsK4hMI b+ITrvR2r6xV1SIj1R2035ycd/gGphVDeGe6fGQpteGF1lpkBqpJ70ktzbPwtOMlOf AADcgC3gBGN2ot8ZpShP2ogKrX0qR344A9QZ9Bjo=
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3274/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Encrypting Retry token (#3274)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5ddf0615732c8_7b653ff024ecd96c3683ca"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Nov 2019 23:26:16 -0000

Since I did this, I've realized that even this was an overly pessimistic outcome.  By precomputing the XOR stream for CTR protection, it should be possible to make an even faster version of the protected form here.

The result should be to narrow the gap between the GHASH-only and encrypted variant further.  The difference should be limited to performing an XOR with a fixed value and a single AES operation (which in my experience is marginally cheaper than an extra GHASH operation, though the addition of ODCID to the AAD is rarely a full block, so it's hard to predict the exact outcome).

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: