Re: [TLS] Salsa20 and Poly1305 in TLS

Adam Langley <agl@google.com> Tue, 30 July 2013 14:53 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C00A21F9C8E for <tls@ietfa.amsl.com>; Tue, 30 Jul 2013 07:53:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id giSjDX2GGqj7 for <tls@ietfa.amsl.com>; Tue, 30 Jul 2013 07:53:10 -0700 (PDT)
Received: from mail-oa0-x234.google.com (mail-oa0-x234.google.com [IPv6:2607:f8b0:4003:c02::234]) by ietfa.amsl.com (Postfix) with ESMTP id 62B9621E80DE for <tls@ietf.org>; Tue, 30 Jul 2013 07:53:07 -0700 (PDT)
Received: by mail-oa0-f52.google.com with SMTP id n12so1345368oag.25 for <tls@ietf.org>; Tue, 30 Jul 2013 07:53:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=S7tlxIfxrmguZSUTiYZEBmYGzZ5lh3YLCgDvaIlcIOQ=; b=ga2TE0to4K+Lkvd17sK3J1HML63RK8EpxIBccITt5ooVhyGeBYV6L7G2fykHFGTAu1 uhpuLZhMPljPWEv2hGX0PTArLdwsmfRp1/wJGnpbX+JSSxlXXttiTbyhCAPTcR3DAF5t DLpcFPR+hJj0UMTbfZ5IV7I3veX1aCpPkSpAlJuCvZEGeVgnUeLOm0cySKLzw0vvGfAq t1mqxr8KTzbOEpkihpq58r45dj6dDQmoxPlXgVN8J+MgvMD9Otoq4kRRKaEydXRh6GCN lYhTBL412dHHSV6TE2CsXqcBl4AGTaHv7ToFk7IlyL/lnAndQrGJOeq93IZh+4zPzb78 mJig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=S7tlxIfxrmguZSUTiYZEBmYGzZ5lh3YLCgDvaIlcIOQ=; b=VPW0kw9GZmMywwd9y4HNm/jTVqsUFRhcTnIJCIM+rfrkd+pb/0bDLsayqa39NycjRc QjXx55OI5jEKVWOKug7fgXs0dRJ45jCqr+/rSr0dYcPVJHWniqq2NAqbre8SHPox6iVY gvICvG/xnjhiu84/uozJQKE0HTy6A1Ri2VrW2Mqm6598rXtTVAUCaHa/Jv2bYxaD+wpI KDMniDFurD8hhMDT/P1EshYLRdCQzN5ub7E1Np3sl9/PR3AfqPD5U4QY1QN+QgK7njl+ spO4+5Wt8JQdmaphoHGyiSBjP6PCKeelvvamWkgscFAYgc8xQm6bFKOx9mW1X+tCcVaW me4g==
X-Received: by 10.60.60.167 with SMTP id i7mr5208120oer.58.1375195986820; Tue, 30 Jul 2013 07:53:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.111.66 with HTTP; Tue, 30 Jul 2013 07:52:46 -0700 (PDT)
In-Reply-To: <CAJU7za+1uMbU0JTdsyaQoH0r=Zzhy0T0d8JR_5h21L+s7Qf-9A@mail.gmail.com>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com> <CAJU7za+1uMbU0JTdsyaQoH0r=Zzhy0T0d8JR_5h21L+s7Qf-9A@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Tue, 30 Jul 2013 10:52:46 -0400
Message-ID: <CAL9PXLxXddu+TQ_6mJZ6G_pc6S4oVrTq5OYrY03nWceimxm7zg@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Content-Type: text/plain; charset=UTF-8
X-Gm-Message-State: ALoCoQn923c2O6mwD5etL1llaO2UnnPKPH86KIzm2+u7YzMABkRaiuc4pZLMUnEajZYTOgC7DkVh04RNQ1S1Vk82nO8MUDrSGeIBKCL2xZXq2eTQObga6jWXa8U5eHiesXe8mvu0mxb+61LB+JwFNCpVYzxNuHKc2ntFJdGpo2y/VapRsqBe28ndq0pOehEdykrTyXYm/Kz0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jul 2013 14:53:11 -0000

On Tue, Jul 30, 2013 at 5:00 AM, Nikos Mavrogiannopoulos
<nmav@gnutls.org> wrote:
> btw. was Poly1305 used with salsa20/12 in this comparison or AES? If
> it is salsa20, I believe that the numbers would be quite different for
> UMAC if used with salsa20 as well.

I measured UMAC with AES as you had previously indicated that was what
you were aiming at. (I measured Poly1305's raw speed as the difference
is small.)

If UMAC were measured without the AES operation then I think ~20ns
could be removed, although I'm using tables from bench.cr.yp.to due to
time.

> Complexity is indeed an issue, but tweetocity doesn't seem to be a
> clear advantage :)

The simplicity is of some value, although I'll admit that the tweet
left some things under specified :)


Cheers

AGL