Re: [TLS] Salsa20 and Poly1305 in TLS
Adam Langley <agl@google.com> Tue, 06 August 2013 15:25 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF88821F9EB8 for <tls@ietfa.amsl.com>; Tue, 6 Aug 2013 08:25:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.453
X-Spam-Level:
X-Spam-Status: No, score=-0.453 tagged_above=-999 required=5 tests=[AWL=-1.524, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, SARE_MLB_Stock6=1.56]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k9UBi42tESll for <tls@ietfa.amsl.com>; Tue, 6 Aug 2013 08:25:43 -0700 (PDT)
Received: from mail-oa0-x231.google.com (mail-oa0-x231.google.com [IPv6:2607:f8b0:4003:c02::231]) by ietfa.amsl.com (Postfix) with ESMTP id D123221F9C53 for <tls@ietf.org>; Tue, 6 Aug 2013 08:25:33 -0700 (PDT)
Received: by mail-oa0-f49.google.com with SMTP id n10so983933oag.36 for <tls@ietf.org>; Tue, 06 Aug 2013 08:25:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=nvn3xwThZWieF0TOJAq80oa+50onmZwlmwmHTiNhBRY=; b=KHrsL3j26TxsU/2838d7iHvTW5UiKM1gregkvyexwkOaOYyKJgiVjPTSNE2yte97aC rbv3ii0PNs+SXhm9OPihRRLj5orY7YBx+39KMgPT8/wol+kU61zCE2ZRJ275I/r7Cu92 k6sZq8vfso4A62sqh5U0PeAo/8UCPrSBtM5WdpNQHcvZFR11iKPsjlX6O0vvzecKK6W4 jKYfMnoMqcbdDH1bNX+V0lUu3EbQqRWvEKZiI0rKaC7x8xEP1G+SROeiMWk8x23ynyV6 rjZ8+CqcZC3QIwI2/CYNo2oUuPZL9ThhKQrDLXChzl2VwnwAG+t81E4zL6vZb3hfNiOm qgog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=nvn3xwThZWieF0TOJAq80oa+50onmZwlmwmHTiNhBRY=; b=pNqLjwY+/epkM4f3ErWQmvoLDCJDGZiXRuH0mmSE/I8qgo87tPSA3OdCmAjSkAh8Y3 sDwitMjXwosl7zbxOBhhS3tuCUMaAXICuIikflb0/tfBpj6M7hAfF8YeY3ADdJxlT5BO QrxS0RNVRTDMRQcAt7sE3+o71hfekhZKWYebacQzhyPyaMDO4aw/uNehf9BU7u7qiD3D sQQWhWgViJWOk8Up0OIM6RV9+ToOtVXzgI9uDfN35z/tbJDwk6p6aj3A+NFctHSb3Yc4 9RxMAvvP91fosid316KhspGI4W3DvbPNhxUzl+RQ9va6/jkD+ICEHhdVEeg0OY0voGAQ HXiQ==
X-Gm-Message-State: ALoCoQkTJrs7XCtdeOPZESh6ylZWX3HmoaBXV+6B6DxPqSXD2rc21Nijmq5USw1wfkVQclcZZ33LMteGxN5KVuL/+nF/8cF0IU+upA5uN4ZCODvH5/Bsamw1PsuoK5oP2UpclZ3n9aGziSUZ5A4X74rsS0F/IkNdQtd/CNjxAOzFiISn2HH+zSPX/rW/wEt4WE5a5+s91+ww
X-Received: by 10.60.42.168 with SMTP id p8mr1411672oel.73.1375802733160; Tue, 06 Aug 2013 08:25:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.111.66 with HTTP; Tue, 6 Aug 2013 08:25:12 -0700 (PDT)
In-Reply-To: <CAL9PXLxhPh=+uaac_+oWJsd7ePkY-47sfZGDRs6yUJouxrxWfQ@mail.gmail.com>
References: <CAL9PXLySuS1gn8YisobYrbEnNpxJuYPbKB0qtkCOMnb+m90Jjg@mail.gmail.com> <CADi0yUNPENmF9G=oiteRuZ3tXn4JFMOEuMsnD9Ean6arjWveKw@mail.gmail.com> <23D5606B-9225-4428-99AA-EC66C93D4088@krovetz.net> <CAL9PXLxhPh=+uaac_+oWJsd7ePkY-47sfZGDRs6yUJouxrxWfQ@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Tue, 06 Aug 2013 11:25:12 -0400
Message-ID: <CAL9PXLwh8+pYVXwByD1Q0gVGO4=SkSyLTEowH6BqySTAB7mO7Q@mail.gmail.com>
To: Ted Krovetz <ted@krovetz.net>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Salsa20 and Poly1305 in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2013 15:25:43 -0000
On Tue, Jul 30, 2013 at 10:45 AM, Adam Langley <agl@google.com> wrote: > I will try to repeat the above benchmarks for VMAC this week. (And, hopefully, run some tests on ARM.) Recap, to authenticate 1K of data: UMAC96 (with AES for nonce generation, since Nikos suggested that was the intended design previously): 9146ns HMAC-SHA1: 3667ns Poly1305: 561ns On the same machine (E5-2690@2.90GHz with Hyperthreading and Turboboost disabled), with VMAC code from fastcrypto.org: VMAC (128-bit, with AES calls removed in order to better compare to Poly1305): 270ns with 248 bytes of memory On a Cortex-A8 (specifically a Galaxy Nexus) using Linaro GCC 4.7: VMAC (128-bit, with AES calls removed): 13203ns with 248 bytes of memory Poly1305 (code from SUPERCOP): 3567ns For VMAC I used ARM optimised code provided by Ted Krovetz. Other, random measurements: VMAC (128-bit, AES for nonces, Intel): 368ns with 424 bytes of memory and 1308ns one-time key schedule. VMAC (64-bit, no AES, Intel): 138ns, 360 bytes of memory. VMAC (64-bit, AES, Intel): 229ns, 360 bytes of memory. VMAC (128-bit, AES, ARM): 14322ns, 424 bytes of memory For the ARM measurements I was careful to do them with the screen on and unlocked. Android reduces the clock speed when the phone is `asleep'. When measuring VMAC "with AES", I used "rijndael-alg-fst.c", not OpenSSL. When removing AES from VMAC I just removed all AES calls and AES related elements of the context structure. That's not intended to be a real design, but a reasonable simulation for the purposes of timing. Poly1305 is very fast on ARM, but VMAC is twice as fast on servers at the cost of a bit of memory. I think I'm still leaning towards Poly1305, but I could be persuaded by VMAC, it's very impressive. Cheers AGL
- Re: [TLS] Salsa20 and Poly1305 in TLS Rene Struik
- Re: [TLS] Salsa20 and Poly1305 in TLS Nick Mathewson
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Nico Williams
- Re: [TLS] Salsa20 and Poly1305 in TLS Nikos Mavrogiannopoulos
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Geoffrey Keating
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ben Laurie
- Re: [TLS] Salsa20 and Poly1305 in TLS Adam Langley
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz
- Re: [TLS] Salsa20 and Poly1305 in TLS Simon Josefsson
- Re: [TLS] Salsa20 and Poly1305 in TLS Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Salsa20 and Poly1305 in TLS Ted Krovetz