Re: [quicwg/base-drafts] Add retry integrity tag (#3120)

MikkelFJ <> Wed, 30 October 2019 21:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EA2A21200D6 for <>; Wed, 30 Oct 2019 14:56:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.596
X-Spam-Status: No, score=-6.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VJ1ypvwqsp_5 for <>; Wed, 30 Oct 2019 14:55:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 205561200CC for <>; Wed, 30 Oct 2019 14:55:59 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6D84FA07DF for <>; Wed, 30 Oct 2019 14:55:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1572472558; bh=kcGzUDtGJPfT6bZuwIz748vj7ujqo8iDH165GJpyMPw=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=KzcfVg+6f+seoqfPhrD6yaikg0LJv1hMvYPDKKrwjyelOrv5hsyisBnM/ZUlLkqse vSmDus4wdyuDk4S6CX8MAF/478/UTHpGO2CU4/YCu7gSSL0RnrxSgGI50i+mQkriNi L/se3mvq3eWTe7KBys2LcFvGBQjrF/9o81q3kAr4=
Date: Wed, 30 Oct 2019 14:55:58 -0700
From: MikkelFJ <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3120/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Add retry integrity tag (#3120)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5dba06ee5f89f_34683f84ccecd96c6031"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Oct 2019 21:56:01 -0000

@DavidSchinazi on AES-GCM that is not correct: The crypto part yes, but you do not encrypt you only GHASH because it is AEAD only. GHASH is a 128-bit carryless multiplication over a Galois Field which completes the checksum. If you CLMUL instructions this is efficient, otherwise not so much. That is where Poly1305 is a gain. CLMUL is not very common on misc. controllers even if they have other accelerations, at least for the time being. E.g. ESP8266.

I agree that AES-GCM is the right choice given the circumstances but I think Poly1305 would be better for initial and retry because it would work in a broader range. The benefit of AES-GCM is that highly loaded servers will have the necessary accelleration and may slow down on AES-GCM - even if this is a tiny fraction of the overall connection cost, it may be important as it fends of noise from the broader internet.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: