IETF Logo Mail Archive

Re: [TLS] ChaCha20 + Poly1305 in TLS

Yoav Nir <ynir@checkpoint.com> Tue, 10 September 2013 16:08 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DA1521F8475 for <tls@ietfa.amsl.com>; Tue, 10 Sep 2013 09:08:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.918
X-Spam-Level:
X-Spam-Status: No, score=-8.918 tagged_above=-999 required=5 tests=[AWL=1.681, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YvgbQY+hcvf9 for <tls@ietfa.amsl.com>; Tue, 10 Sep 2013 09:08:05 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 9277021F99BF for <tls@ietf.org>; Tue, 10 Sep 2013 09:07:56 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r8AG7r3q031872; Tue, 10 Sep 2013 19:07:53 +0300
X-CheckPoint: {522F43D9-9-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.173]) by IL-EX10.ad.checkpoint.com ([169.254.2.246]) with mapi id 14.02.0347.000; Tue, 10 Sep 2013 19:07:53 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Adam Langley <agl@google.com>
Thread-Topic: [TLS] ChaCha20 + Poly1305 in TLS
Thread-Index: AQHOrjmxRJ1QpN2c0UyG/dubgYCJVZm+8RCA
Date: Tue, 10 Sep 2013 16:07:53 +0000
Message-ID: <B44FF990-2243-4E2A-91FA-C77247C47E53@checkpoint.com>
References: <CAL9PXLyLre-fySOY2H4oLAwSxiBmG+mnrJe9YiD9+OHmPVG-oA@mail.gmail.com>
In-Reply-To: <CAL9PXLyLre-fySOY2H4oLAwSxiBmG+mnrJe9YiD9+OHmPVG-oA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.100]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <D17486F04225574CA954F6BEEA116210@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ChaCha20 + Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 16:08:15 -0000

On Sep 10, 2013, at 6:22 PM, Adam Langley <agl@google.com> wrote:

> The following numbers are encryption rates for a 1K block size with
> with AES-128-GCM or ChaCha20+Poly1305. The AES-128-GCM implementation
> is OpenSSL 1.0.1e compiled with gcc 4.6.3 and -O3, unless other
> compiler flags are noted.
> 
> On an E5-2690@2.90GHz with Hyperthreading and Turboboost disabled:
> 
> AES-128-GCM, AES-NI disabled: 131 MB/s
> AES-128-GCM, AES-NI enabled: 311 MB/s
> AES-128-GCM, AES-NI enabled & -march=native: 308 MB/s
> ChaCha20+Poly1305: 420 MB/s
> ChaCha20+Poly1305, -march=native: 560 MB/s
> 
> On a Galaxy Nexus (ARM Cortex-A9@1.2GHz), gcc 4.7:
> 
> AES-128-GCM: 27 MB/s
> ChaCha20+Poly1305: 78 MB/s
> 
> Note that I'm being rather unfair to ChaCha20 here: I'm comparing
> 128-bit AES against a 256-bit ChaCha20.
> 
> Intel suggests[5] that an E5-2690 (Sandy Bridge) should be able to do
> AES-128-GCM in ~2.55 cycles/byte, giving speeds of ~1.1GB/s. Possibly
> I've messed something up with OpenSSL, or the implementation in
> OpenSSL 1.0.1e is underperforming, but I'm reporting what I see.

I'm seeing 500 MB/s for AES-GCM on an Intel E5645@2.40Ghz, which is an older Westmere with a somewhat slower clock speed and OpenSSL 1.0.1-something. If I had to guess, you're using the MMX version of the ghash/gmult functions rather than the PCLMULQDQ version. 

Regardless, we need an alternative to AES. RC4 is out because of security, and 3DES is around a tenth the speed. Going back to 3DES means your hardware is not strong enough to handle your current load. ChaCha+poly1305 seems to be a good fallback, so I support the publication.

Yoav

v2.23.0 | Report a Bug | By Email