RE: AEAD and header encryption overhead in QUIC

Nick Banks <> Thu, 18 June 2020 14:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C7AA03A12BE for <>; Thu, 18 Jun 2020 07:52:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z9_sjQ80Ko4s for <>; Thu, 18 Jun 2020 07:52:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 45F253A12B8 for <>; Thu, 18 Jun 2020 07:52:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=a1qItXel8qsTQRhbozNQRn6jK/s40/JdxgD1HkbLqBr9H0ocbaUttPx2X0AYZJXz9vCd83ViHquLBPgtGGSf63zh87zCG3BrHjWpQldJobVCWdFphxnJcNpDaDeu4qATSixAkOxaxZb0mTWg79A7AP/0k6mM1qXFxl6BbgJDIBt9B7JEq1ts9OfEUymx1fSAzYXhSFGeLuIlBlivpO2uavd8tw/F5+POYMHXxCI4wbs2DE/xACpoyBiPovUZZ1m7jv4pBMI5f8qmYSmZp+O4Dj2SBlI8ZI9PhVL8MdtMFk9Z2L9dhI7k5Latd79onNzUI+ZRQSULGz5QMK5ZteOxGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bACXSJIpq4Rqsk1637yyi4ZSiW+SHim577yXZ6nmY9w=; b=FFY9owevMCtttusE6RlatYiTjQevRTp47Aou+UoW1/FAGoXMXCyNIgaJYaxdLtNuxiHSB3CR2PPLCNd7n/faGfaKFqdRw6SgbIQ+LndExo/MDoHVhA0akjUQiI9bLRtDE8igUpyH3AaRuLo+EvldcgL7pyeNrV6rRuzMkx4qMctSacfifdj238UUdf/8X2vH0OAwECsB1lEMWIJcGQA14VxdBlHbT9gJJAQ65mHg7DHuvDZClpnByYMHhWc4b2K7T70N2NS2ifc/jMCis1yu7UFvK5aBJgG4A/GVYBwf911gNR2gUCmbyaXokauL3Y6YZUw8AO2b8l6UgtbjhC4WjQ==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bACXSJIpq4Rqsk1637yyi4ZSiW+SHim577yXZ6nmY9w=; b=RpNYnK9W4cr8LC0bh9J+lXky4b6sFBnnIU5U11ANp5FjiarRYXOjvKSuedMgY/04W7X7X0ycuP+TIeOnscu9XPU7ms1fNkL3DNF20PTby3jOCTfHiRsyBjCXD0WLokakAaTCvt27m5aynvdd9poD8x5/R/wdXsr9ZGWhoMiShaQ=
Received: from (2a01:111:e400:c638::26) by (2a01:111:e400:c619::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.0; Thu, 18 Jun 2020 14:51:58 +0000
Received: from ([fe80::7d0f:146e:c697:6989]) by ([fe80::7d0f:146e:c697:6989%3]) with mapi id 15.20.3153.000; Thu, 18 Jun 2020 14:51:58 +0000
From: Nick Banks <>
To: Kazuho Oku <>, IETF QUIC WG <>
Subject: RE: AEAD and header encryption overhead in QUIC
Thread-Topic: AEAD and header encryption overhead in QUIC
Thread-Index: AQHWRUnYDE4fg8npukO25Wg8NKLEMqjecdOs
Date: Thu, 18 Jun 2020 14:51:58 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-18T14:38:58.3938238Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Privileged
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 126713e8-c33e-4d08-1542-08d8139726b6
x-ms-traffictypediagnostic: CY1PR00MB0075:
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0438F90F17
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0Fi/sRfbtGeX8rditubiMykZEiOWnhhuA9do5mktMKBq1IAqmdMTIHw2g4vuT4j5no1em6AvyGuwLlEUrvhvii7J8CNp9nbuADjJ+oaS/bQpy20PX22LaIr6hkgGLQI4G/t457XPM9ab8szHj0WwkUblkAhJy8wxeed8XehfSMraoNm1g5mdaFDKVxcEyigam/S3JfPVlzNtCPpgBgrCRYGAy5h/8pcLE/bhzMcuUAEKBBtSzSN7ZzLLQmmdL5jmrIRYhH4ME7xBDCh9/7dsxs1XZxfbLt82K2Rzh39UB6GyTW3ofLGDnbeD40ekW26QRFKVTJ+JCYAenIBVAvDKEP5ME1EHAUpNsvqWS/5/W0QtNexrIhePHIXF/AorK+U6tcDEYoXjEM/8c+fVj+H55Q==
x-forefront-antispam-report: CIP:; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM;; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(366004)(346002)(136003)(396003)(39860400002)(76116006)(66946007)(91956017)(6512007)(966005)(33656002)(86362001)(110136005)(316002)(82950400001)(82960400001)(52536014)(64756008)(66446008)(478600001)(66476007)(5660300002)(66556008)(9686003)(2906002)(71200400001)(8936002)(186003)(26005)(9326002)(83380400001)(6486002)(53546011)(8990500004)(8676002)(166002)(10290500003)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: N4eQZQZMzlyI9AOZdurAyaLwEeSpFeO+hf/5yonDNGi/AFiX7OFkU5Su7XVWdwZWxJ306k7c7z0IhuviS4BHZKZWCPyDhD6FMqunkvA+v0xswv2lc2nJZkbGPKG1GpAh4g2kJcqJ8GVitDoBYetu3rP5Gaa06zvUBmxEBqa00oyQz0Oi5TLiouclEfg5Rqk2zlBg1cjKur3Cz0DWf5JDnyQBcz3c2iZ0C4B5RYciOutqSpyV1+95JopPUIwm9vd20dEuT2PumdrglXt5wRgyHyU4LHbFhXKelzaOqsFJJ++9QuewHbjR/vEsbGHWDcbZQriY5QJQytb87nUCZsET9XEf6qWggIAkW4IdmsKpE9cs/n4HNGzyrNz1k1rpbdMawR6bmDhxc9Hsjjg1gvAMiMeu3kuAh/30YuHZsXCsvh4E7nip9/2owdrFanlt9iYBJHIUKxlYXZNW0OMd3jEi6XZFauGmVJeUBj7B/z9a37I=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_SN2PR00MB0173E37EEAD6CB56F7425DF4B39B0SN2PR00MB0173namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-Network-Message-Id: 126713e8-c33e-4d08-1542-08d8139726b6
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jun 2020 14:51:58.1902 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PDygj1kSQe89696yWSEpQf67BytCubU9q/UZJYquRX90mevWEuerezVlM+8JUox8qlMDDt4rvV1Dtn3Yzu46/A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR00MB0075
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 18 Jun 2020 14:52:06 -0000

Hi Kazuho,

Thanks for the information! It’s very interesting. You might try this too:

We’ve found that an easy way to minimize the CPU cost of the header protection (on send and receive) is batching. If you copy 8 packet headers into a single contiguous block of memory, you can do a single crypto operation on it. The cost of doing one batch of 8 is essentially the same as doing just a single header. This effectively cuts the cost of header protection to 1/8th the original cost. Obviously this only works if you have enough packets to batch process, but for high throughput tests, you usually do.

Feel free to take a look at the MsQuic code (receive path<>84>, send path<>)8>). The nice thing about this design (for those of us who don’t have as much special crypto expertise) is that it doesn’t require any special crypto changes. I’d be interested to see if our two approaches could be combined for even better performance!

- Nick

From: Kazuho Oku<>
Sent: Thursday, June 18, 2020 1:24 AM
Subject: AEAD and header encryption overhead in QUIC

Hello folks,

TL;DR: When existing crypto libraries are used, the AEAD cost of QUIC can become somewhat greater than that of TLS over TCP, due to those crypto libraries not optimized for handling short AEAD blocks. Crypto libraries optimized for short AEAD blocks can tighten the gap. Also, crypto libraries optimized for QUIC can combine AEAD operation and header protection vector generation, effectively eliminating the cost of header protection.

A bit longer story:

Recently, when testing quicly [1] using a NIC with *hardware support* for UDP GSO offload, we noticed that it uses +30% CPU cycles compared to TLS over TCP. This was due to our underlying crypto not being optimized for short AEAD blocks, and due to the call overhead of doing header protection one packet at a time. [2]

We went on to implement our own AES-GCM library optimized for short AEAD blocks (i.e. packet-sized), that also generates the header protection vector while doing AEAD computation. By switching to the new crypto library, the performance drawback of the crypto itself compared to large AEAD blocks when down from 30% to 10% [3].

The overhead of header protection (relative to all the crypto cost) on the send side is now between 0.3% to 1% when using packets sized around 1400 bytes to 1500 bytes. The ratio against the total transport cost is going to be less than that, and in practice, I think that they are negligible. The story might be a bit different on the receive-side due to the dependency between header protection and AEAD, though I am sure there would also be ways to optimize.

In terms of CPU cycles spent by the QUIC stack, the overhead compared to TLS-over-TCP came down to 5%. quicly can now sustain the send rate of 5Gbps while spending about 30% of CPU cycles of one modern Intel CPU core [2].

These numbers are observations from one TLS / QUIC stack doing micro-benchmarks, though I tend to think that sharing performance numbers lead to people having better expectations regarding the CPU cost of QUIC. Some of us were also concerned about the cost of header protection (a.k.a. packet number encryption) [4]. Hence posting here.


Kazuho Oku