Re: [TLS] ChaCha20 + Poly1305 in TLS

Adam Langley <agl@google.com> Tue, 10 September 2013 22:08 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB02F21E80C4 for <tls@ietfa.amsl.com>; Tue, 10 Sep 2013 15:08:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.375
X-Spam-Level:
X-Spam-Status: No, score=-1.375 tagged_above=-999 required=5 tests=[AWL=0.603, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCe2E0+nh-cJ for <tls@ietfa.amsl.com>; Tue, 10 Sep 2013 15:08:46 -0700 (PDT)
Received: from mail-oa0-x232.google.com (mail-oa0-x232.google.com [IPv6:2607:f8b0:4003:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id 4ED5321E80A1 for <tls@ietf.org>; Tue, 10 Sep 2013 15:08:46 -0700 (PDT)
Received: by mail-oa0-f50.google.com with SMTP id i4so8575020oah.37 for <tls@ietf.org>; Tue, 10 Sep 2013 15:08:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=DvvxbvGOzSl1FfJ1sd/RQJCOT/A6YnnSOaq1kmAQOIw=; b=NljuOrEQA7XHYdd3gcSFFv5vDZqlePhByuAeHoUuUyvweUOscsvB/yWXXE+jiFITli XtQkdd08z7gPM5R/CMurW4cWML1e71vcHU/b8fDxXrstCGp1dxbRbr6MeqQ5yiEZ0iSF WdBrV/RnplznUFX9d6+ypa68R5KEmzbywO/05VX95Ga2QafaFe1x6DDp+6jiGWngBYg2 37eiWPVPEpdA6HQKmgbyGJ62MfFB2GAqBG9QH2M6sOgIYbGitCD07gHp2qmPFpPIAzZc 6FsRv7ne2ZuT/1N1/v2LJ3BLgYY8WyoFloNB/taXQSW9//HkhQBdqxPeDRMsRHvMyWsW s6eQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=DvvxbvGOzSl1FfJ1sd/RQJCOT/A6YnnSOaq1kmAQOIw=; b=g16WRPpdn0l3ANuuuHuRzc5GdyaM6aeg3DDgnkIYQxYzNXOro2tm5/N8Cw53ahsUNA /9+rFi/Mm2Yej8FSpDiAlpga43dWDR1/4rXcuzZ9M6DuPYaBAtbGVNgLzE3Rvi19bM19 SefMYlD9wc/nF/s8q+qVIujJKfrsO/0crNHL/KSghCkFKctVRiugp2PDH3T64Azg1Jon 9pr1NBd/HNc57ffhbXUrvoL0Z6MejfDhgIJuxxnetTA8nsZKs3dqb7dKTo3RQLUrDJIt kwPLli7pPUVAflivnEdIlFLuEzxnrDwH0A57kfzODFOw7CHBnK9smS1qWK82e6tdyHyL PAeg==
X-Gm-Message-State: ALoCoQklTt6ytu3RsUh4gxNBm0HJ82GolJOwaMrw3RE+41FylhGrE7KNJSWwnsXUcsN0MdXmRdH4HzMV3fyOUKjG2wUC0j1igmrG0o0vkqJb3h4FBN0Ha1xRrJ0iqRbPOu7qfjefUxJC/AvMDZxKJ0Na76UXWjghtnVnOd0zNL7nLkKcyGQuPEO85BI9lPzFXl4WAB/BIWLf
X-Received: by 10.182.75.201 with SMTP id e9mr5461408obw.28.1378850925767; Tue, 10 Sep 2013 15:08:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.79.105 with HTTP; Tue, 10 Sep 2013 15:08:25 -0700 (PDT)
In-Reply-To: <CAL9PXLyLre-fySOY2H4oLAwSxiBmG+mnrJe9YiD9+OHmPVG-oA@mail.gmail.com>
References: <CAL9PXLyLre-fySOY2H4oLAwSxiBmG+mnrJe9YiD9+OHmPVG-oA@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Tue, 10 Sep 2013 18:08:25 -0400
Message-ID: <CAL9PXLwKpmf8xMYnJEPQm8hYFRiGu=yvOqyxMobq7j_Bj-B6Yw@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [TLS] ChaCha20 + Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 22:08:47 -0000

On Tue, Sep 10, 2013 at 11:22 AM, Adam Langley <agl@google.com> wrote:
> Intel suggests[5] that an E5-2690 (Sandy Bridge) should be able to do
> AES-128-GCM in ~2.55 cycles/byte, giving speeds of ~1.1GB/s. Possibly
> I've messed something up with OpenSSL, or the implementation in
> OpenSSL 1.0.1e is underperforming, but I'm reporting what I see.

I found what I had messed up in OpenSSL: AES-NI was in use, but only
block-by-block, not pipelined.

The AES-128-GCM speed on the E5-2690 with AES-NI enabled should be 868 MB/s.


Cheers

AGL