Re: [TLS] Salsa20 and Poly1305 in TLS

Adam Langley <agl@google.com> Tue, 06 August 2013 16:38 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39C7F21F9F3A for <tls@ietfa.amsl.com>; Tue, 6 Aug 2013 09:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.673
X-Spam-Level:
X-Spam-Status: No, score=-1.673 tagged_above=-999 required=5 tests=[AWL=0.305, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBOAJGQWTGTg for <tls@ietfa.amsl.com>; Tue, 6 Aug 2013 09:38:39 -0700 (PDT)
Received: from mail-ob0-x233.google.com (mail-ob0-x233.google.com [IPv6:2607:f8b0:4003:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id CA78221F9F59 for <tls@ietf.org>; Tue, 6 Aug 2013 09:38:39 -0700 (PDT)
Received: by mail-ob0-f179.google.com with SMTP id fb19so1347803obc.38 for <tls@ietf.org>; Tue, 06 Aug 2013 09:38:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=nz2yOWY7BTUn8t1QxsTeTnXspTIpgAFcUR58QPT86AE=; b=SgC8HRSDA3O8JFigm3cszKlL11VxbVfLC3f6acO079iqtU8f25R0ZgYtIGnNAeX71l 9Tpwf1s7xnNS2JBLUBxZc99m9jIiWsaFpeosMFxYXadxDuGMVMoOWJmhEvD4Lh/wrs++ 5df4a88GhW7M6KgzihiO03oSSWptjIhh2d7mAko6pV95X5SW46jRdE5L74CoAm1WqSTa wOGm8rV9ln/Lp1elJD6z8pUGkdh/E1+OMEQ9EvYZIbq0Z36WUlFC8guVtj+Xv1h1GoF/ fryxX6CKblVjVIotGr7N4u4VXlOQ7ZHpfBhyE5nyLIFDoncRkynn7/rwlgvSudmF1180 +eOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=nz2yOWY7BTUn8t1QxsTeTnXspTIpgAFcUR58QPT86AE=; b=UlWM0yQlHUPhstykI58zQpAsLeyvZ9dMOj6RP7iqUye6wmC9p2/gljZHbqzfMGI+Ac LS5IZ2wGFAkC/QDix1Re8pzhlzTZckudEiO6AoEfZtY56dVTG9sMotgO/f0ZjnO3o/tI UHyn1ZyDVHG23DkqIpMsrkiO9HAP3tsbj5XL4EG0gWvQHeFz5qrl7yNXcoZm6tCtE8BD tENBJihav22pqykcWrgfy8Jtvpp7wmyq8SWF3PMSQzlMNFWRQDStDJEy+pokra62NL3c MesQQKcJfXt4i1euPNt6OgIBs82rZTWKNgFYxbpYJZJ72ZiccISWIi7ChG8MqY8jxtnU nTmw==
X-Gm-Message-State: ALoCoQnlEKPYUUgNFXMVOv+BL0ysoXAc/uorrEv/BE/c2ckfRp5euoMCVRchH/UYqlO4BgA+73XNEIMzig/9W/UNfAliSspWuHGnJde/BCF0qMYap5DSeZ01SN/pND85jY4jfHLbEJc14BK4eyAwXqpZ/8CmblmPFAReNz6zDkG/Is0Iv/Oz3jorY2SxRjDZ+izD/6vrxkPI
X-Received: by 10.60.38.234 with SMTP id j10mr1752724oek.42.1375807119010; Tue, 06 Aug 2013 09:38:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.111.66 with HTTP; Tue, 6 Aug 2013 09:38:18 -0700 (PDT)
In-Reply-To: <C5653E7F-D187-4F8D-AC2E-9B182BB98954@krovetz.net>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com> <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com> <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net> <CAL9PXLxhPh=+uaac_+oWJsd7ePkY-47sfZGDRs6yUJouxrxWfQ@mail.gmail.com> <CAL9PXLwh8+pYVXwByD1Q0gVGO4=SkSyLTEowH6BqySTAB7mO7Q@mail.gmail.com> <C5653E7F-D187-4F8D-AC2E-9B182BB98954@krovetz.net>
From: Adam Langley <agl@google.com>
Date: Tue, 06 Aug 2013 12:38:18 -0400
Message-ID: <CAL9PXLykK_5sDmAx3VF4ZY2_SrnFsk2RnrrcJqXmAXSndxPfOw@mail.gmail.com>
To: Ted Krovetz <ted@krovetz.net>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 16:38:40 -0000

On Tue, Aug 6, 2013 at 12:20 PM, Ted Krovetz <ted@krovetz.net> wrote:
> I'm a bozo. When I gave you the VMAC code using ARM intrinsics I should have explicitly reminded you to enable NEON when compiling:
>
>   gcc -mcpu=cortex-a8 -mfpu=neon -mfloat-abi=hard
>
> On a modern ARM, you should always use these settings so that your compiler uses the NEON unit when possible.

Thank you! I used -O3, but I don't develop on ARM very often.

Please ignore previous measurements for VMAC on ARM.

VMAC (ARM, 128-bit, with AES calls removed): 5015.1ns with 248 bytes of memory
Poly1305 (ARM, with same flags): 3457ns

I don't believe that either can be said to be better than the other
now, which makes the call harder if anything :)


Cheers

AGL