Re: [quicwg/base-drafts] Encrypting Retry token (#3274)

MikkelFJ <notifications@github.com> Mon, 09 December 2019 20:30 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53E571201E0 for <quic-issues@ietfa.amsl.com>; Mon, 9 Dec 2019 12:30:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.382
X-Spam-Level:
X-Spam-Status: No, score=-6.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F6h-iYg-2P13 for <quic-issues@ietfa.amsl.com>; Mon, 9 Dec 2019 12:30:22 -0800 (PST)
Received: from out-23.smtp.github.com (out-23.smtp.github.com [192.30.252.206]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0013F12018B for <quic-issues@ietf.org>; Mon, 9 Dec 2019 12:30:21 -0800 (PST)
Received: from github-lowworker-292e294.va3-iad.github.net (github-lowworker-292e294.va3-iad.github.net [10.48.102.70]) by smtp.github.com (Postfix) with ESMTP id 5B93F660D05 for <quic-issues@ietf.org>; Mon, 9 Dec 2019 12:30:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1575923421; bh=/36uFnrW4fA/WPiihA+KguRuW+w4TZpBui0di2y+jWI=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=abU4iMkZc7djFERAmQ6mloQ5OWj8Nq4NXieRSKEabvGydR8IYAAWE5O1TuhCAXMi4 JEDRjTdJqJHUlKW3UjO07dog85fS4C3NGeEiHxaQrsDkoj7uQCSAo4G3qAnRQIfu6q qm6t5iQvV3AcoJ1l14HHTxKeO3IwaLqask5xTqTc=
Date: Mon, 09 Dec 2019 12:30:21 -0800
From: MikkelFJ <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK4HG7AUFNO7WNTAHH537PQV3EVBNHHB7CUNWA@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3274/563423756@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3274@github.com>
References: <quicwg/base-drafts/issues/3274@github.com>
Subject: Re: [quicwg/base-drafts] Encrypting Retry token (#3274)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5deeaedd4c204_18f93fc4d6ecd968521c3"; charset=UTF-8
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: mikkelfj
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/ydyGWf7vEMiG-yGY7aJerJF5elM>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2019 20:30:23 -0000

Using raw GHASH over GMAC would avoid the need for an AES module in hardware and only require carryless multiplication (CLMUL) for efficient operation, but I can't imagine where that case would be very relevant. Even on low-end microcontrollers it is more likely you have SHA-256 and AES hardware than CLMUL, at least for now. From that perspective Poly1305 would be more efficient, but given the nature of Retry and the dependence on AES-GCM elsewhere in the protocol, GMAC or GHASH makes more sense. GMAC is much simpler than GHASH because it can use existing libraries. If GHASH were to be used directly one would have to ensure that it is safe in the applied context and with the supplied key whereas GCM is well understood even if it costs a few block encryptions extra.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/3274#issuecomment-563423756