Re: [quicwg/base-drafts] Encrypting Retry token (#3274)

Martin Thomson <> Tue, 03 December 2019 03:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D35D7120110 for <>; Mon, 2 Dec 2019 19:57:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.382
X-Spam-Status: No, score=-6.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wLB5jGYOf7in for <>; Mon, 2 Dec 2019 19:57:46 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0BAFB120112 for <>; Mon, 2 Dec 2019 19:57:46 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 663EB8C0A73 for <>; Mon, 2 Dec 2019 19:57:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1575345465; bh=IumVo81SrG6YJCMzxLZK7KNnyRMFpFepuOZzET2s5N4=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Ph4sS6LxFbRG+jKplI3780g11y9lT3wFYqrbcaoHVEuglTddg8fQdkdB4y99sTcqJ hk0sXXkxRLDDCciDmNzHCHqUluvgk11Z6XJmJyAzwDCdLLlY+YILYYnOxahmk3YRVm favbPLZQhyV/zR5xdAIq11ghyVi0krxVxO/hMqNA=
Date: Mon, 02 Dec 2019 19:57:45 -0800
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3274/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Encrypting Retry token (#3274)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5de5dd39568b9_41be3f7e316cd95c346837"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Dec 2019 03:57:48 -0000

It's possible that the values @huitema produced for just authentication are high.  Most GCM implementations will still run the AES operation necessary to calculate the mask for GHASH.  With a fixed key and nonce, that operation can be replaced with a simple XOR.  Doing that additional optimization is not obvious, and it requires breaking the AEAD box open, but I expect that this will happen if implementations REALLY care about every cycle.

That would increase the difference a little, maybe as much as my 1.7x (or 1.5x on the newer CPU).

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: