IETF Logo Mail Archive

Re: Packet number encryption

Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com> Tue, 06 February 2018 15:25 UTC

Return-Path: <mikkelfj@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8109212E852 for <quic@ietfa.amsl.com>; Tue, 6 Feb 2018 07:25:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GoMUIjqvuOzj for <quic@ietfa.amsl.com>; Tue, 6 Feb 2018 07:25:06 -0800 (PST)
Received: from mail-it0-x241.google.com (mail-it0-x241.google.com [IPv6:2607:f8b0:4001:c0b::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE61A124BE8 for <quic@ietf.org>; Tue, 6 Feb 2018 07:25:06 -0800 (PST)
Received: by mail-it0-x241.google.com with SMTP id i144so2940599ita.3 for <quic@ietf.org>; Tue, 06 Feb 2018 07:25:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=i2cmnlpNrsEKxRf8qY5OPqmM28LnM8iS29HpyRVONH4=; b=k4+YBsYxfwlTTL8V+LNTHdDF5/0aJ0k+GXpBmvjckYNRvWWYrTpGmu8PvoAuoANzVa eD+eSU2GDrVnaoZsk9ecVP1+fZoYlq6qCiBFGTVmiHynzouWrRre/q2PDRykjTIFA1z3 akrgsiV723AhEcXKzpWbsBaSxnqNCsSvN8B5X9/Hp8NLH+Kj9E7KICZA6Tr2doipQtYi bBFbciFC84diWk7wNgwLDQ7PE30J5ANm+28Moy6CP2jZHjqdKXYaegQaoaNAkSb/BPfO XU4nhAt4Z/7S7ng7RzWapQ//YZvZQZ4jnqSJJJKubnxYKPCIgoo4FYOEbvyGQh0/r2eH nv3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=i2cmnlpNrsEKxRf8qY5OPqmM28LnM8iS29HpyRVONH4=; b=Nw3JI/Jsfkl/XiswlrcJmN6nkldf1yib6Qcf0qsAcZ5mmzJdFC2dD5tFc3dhc8+knc EjjymffjrjQW3guWCmF4ht1OygSZsLDBPrfnKo8y+1M9ZDaiy49CmxRxncTV+vpm8HAv Uxs0R1Byq1P621WgGSgQ6Ncb54mnErJ4INfTwqKNMJq+WaaH6ilzzp7TNnF8q1D767qS +IE9P6oXbRlZYSLR7pvNImASKhYxsmw4R0YqhKUbr0cleOhv4WV+SlEm4iycmwMNR01u TyrYFUEcQpK4esReCjcYqNqrVX7EBDMfThVZ9hoc3Az92AQJDfyLMO8u8Wm2AD09Mhq2 1peQ==
X-Gm-Message-State: APf1xPBQ2iE4tmCLuryuZdou7PUb4U+bIn1dqaQMF2HNABMIuk7uxT8U SFhiyCeG0VztsUbsCvJ+BfO+esmeQlrCfgpbo0A=
X-Google-Smtp-Source: AH8x2244mhC/hZC1DB9J0rGmEJBm3o8/R66PhO1ggtVpCoRSNV+9D6hIw3aBbaxT8Wo6jyZWQZh0BU2WebV6YBAE5e8=
X-Received: by 10.36.178.26 with SMTP id u26mr3443450ite.4.1517930706252; Tue, 06 Feb 2018 07:25:06 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Tue, 6 Feb 2018 10:25:05 -0500
From: Mikkel Fahnøe Jørgensen <mikkelfj@gmail.com>
In-Reply-To: <CAN1APde6o6=aCXuWajPFSU=jXv-ERdVHk=uyjM71uQ_uU-oMTg@mail.gmail.com>
References: <CABkgnnVyo3MmWtVULiV=FJTnR528qfY8-OmKGWAs0bCvri-a_g@mail.gmail.com> <1F7FB3B8-A94C-4354-9944-FB09FB8DB68B@trammell.ch> <CABcZeBMbwdwyC9TxxHBLYaZKfNB-FG2wCGjqUZ_mNR-A1R47FA@mail.gmail.com> <9096e5ec-581e-875a-b1dd-bff0b05206fd@huitema.net> <CABkgnnWRQSAufwPss+qf=xAzCwRYeNNH8XLPm3yFaHxOb+ba4g@mail.gmail.com> <BF80500A-6277-45DC-8525-9C3FE138B76D@tik.ee.ethz.ch> <5A7191E0.6010003@erg.abdn.ac.uk> <5214AD93-8376-4B25-922F-AF5551CC2E95@netapp.com> <F990E064-E6F8-41A3-B791-F776C9955E15@nokia.com> <CAGD1bZab0GaZFsHwC+nw3AxxC4VusxMJ6oDanzk3dSDdWKAXdw@mail.gmail.com> <2C515BE8694C6F4B9B6A578BCAC32E2F83BA1443@MBX021-W3-CA-2.exch021.domain.local> <BY2PR15MB07757473DB9788558B902EB5CDF80@BY2PR15MB0775.namprd15.prod.outlook.com> <6E58094ECC8D8344914996DAD28F1CCD861B7F@DGGEMM506-MBX.china.huawei.com> <e529144067624fcba636fc8c24ee3ff4@usma1ex-dag1mb5.msg.corp.akamai.com> <BY2PR15MB07754D83A1721F2BD742359BCDFE0@BY2PR15MB0775.namprd15.prod.outlook.com> <2CD9DC43-D69B-43F0-8474-DFE798850A52@akamai.com> <CAGD1bZaUuNxqpDkn62B0wWcFD8=mCUWrAwWGG-rAOxH7Mf1=cQ@mail.gmail.com> <CY4PR21MB01334E30C7AF6AE75F58EEFDB6FE0@CY4PR21MB0133.namprd21.prod.outlook.com> <CAGD1bZaxrqzdkk0wxRaULwOTgg6wnrSrXNBK31s4uxdozaACBA@mail.gmail.com> <CAGD1bZbOAaSBcQw4nVtGuwRunaAW8MYHq9yPxNN6DdKHzt5HtQ@mail.gmail.com> <2102BDC2-62C0-4A76-8ADE-8167437E2D07@trammell.ch> <CAN1APde6o6=aCXuWajPFSU=jXv-ERdVHk=uyjM71uQ_uU-oMTg@mail.gmail.com>
X-Mailer: Airmail (420)
MIME-Version: 1.0
Date: Tue, 06 Feb 2018 10:25:05 -0500
Message-ID: <CAN1APdfN5N-t6Y9o4tJ85LKwV+VxeKKXDs_P8mvp5Vfdo7KZMw@mail.gmail.com>
Subject: Re: Packet number encryption
To: "Brian Trammell (IETF)" <ietf@trammell.ch>, Jana Iyengar <jri@google.com>
Cc: Praveen Balasubramanian <pravb@microsoft.com>, "Salz, Rich" <rsalz@akamai.com>, QUIC WG <quic@ietf.org>, Roberto Peon <fenix@fb.com>, "Lubashev, Igor" <ilubashe@akamai.com>
Content-Type: multipart/alternative; boundary="f403045d914c8a384a05648cc86e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/kDxO10EeKrjeFjMT6vqYcTGOgRs>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 15:25:08 -0000

The overhead of packet encryption (single block AES-CTR) is probably around
100 cycles with AES-NI and possibly 160 cycles table based for one block
for Intel arch. This is because parallel multi-block optimisations are not
possible. AES-CTR of one block is about the same as AES-CTR of 4 blocks,
and GCM auth tag adds perhaps 50% to that. Thus packet number encryption
might be twice as fast as AES-GCM of a 64 byte message which is still a 50%
overhead.


The overhead could be reduced by generating an AES derived random byte
sequence and store 8 bits from the sequence in each packet. The sequence
can be efficiently precomputed for 64 packets at a time. A simple lookup
table will tell the packet number with high probability, and if it fails,
it is possible to extend the search. Details could be discussed, such as
using 12 bits instead of 8 etc.

This requires fewer header bits on the wire, is private, ossification
resistant, and fast.

v2.23.0 | Report a Bug | By Email