Re: [quicwg/base-drafts] Encrypting Retry token (#3274)

Martin Thomson <> Mon, 09 December 2019 21:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B15961200F4 for <>; Mon, 9 Dec 2019 13:37:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.596
X-Spam-Status: No, score=-6.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9TvIt-Z5gKcd for <>; Mon, 9 Dec 2019 13:37:27 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1975C120086 for <>; Mon, 9 Dec 2019 13:37:27 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 1980D6A06B8 for <>; Mon, 9 Dec 2019 13:37:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1575927446; bh=f9TT0kGfPbOIadLHfhV72Bj3110lzx1LQUg17FWvq1I=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=yTUaxhToHejAdvvcqO8pNdJxPhfq6vo9Sv7iQzhBaMiRIDc1DOYR4MjBdaLuiVVqH GzBTfj2C4fF2SRu7VaL9Y8XIeTItJtOwHKnH8sj2bs/yCRF3YZEQ3t2uDAo5+yz3QB Lqny+i5e3WarRZbA9M2YZEhgHvlYLgy6Qy5mrJQU=
Date: Mon, 09 Dec 2019 13:37:26 -0800
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/issues/3274/>
In-Reply-To: <quicwg/base-drafts/issues/>
References: <quicwg/base-drafts/issues/>
Subject: Re: [quicwg/base-drafts] Encrypting Retry token (#3274)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5deebe96a552_57d63f90e78cd964314d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 09 Dec 2019 21:37:29 -0000

As the PR proposes, GMAC is what we are using. A simple implementation can then just use GCM. Someone looking to save one AES operation can run GHASH with an XOR.

This saves on the number of primitives, and for someone willing to build silicon, it can be implemented fairly efficiently.

There is some odd middle space with software implementations on low end hardware that might be a little worse off, but they win because they need fewer primitives. A low end device probably needs external help with DoS, so maybe we can say that this is a net win.

To be clear,  Nick's situation isn't ideal either. Implementing GMAC in hardware is certainly not free, falling back to software is not fast, and this style of standalone DoS protection is otherwise relatively simple. But there are a number of competing concerns that need to be balanced.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: