Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead
Thomas Pornin <pornin@bolet.org> Wed, 01 March 2017 13:58 UTC
Return-Path: <pornin@bolet.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C2B12947D for <tls@ietfa.amsl.com>; Wed, 1 Mar 2017 05:58:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H1GooyEZDWAH for <tls@ietfa.amsl.com>; Wed, 1 Mar 2017 05:58:27 -0800 (PST)
Received: from brontes.bolet.org (www.bolet.org [62.210.214.227]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 103301293F3 for <tls@ietf.org>; Wed, 1 Mar 2017 05:58:27 -0800 (PST)
Received: by brontes.bolet.org (Postfix, from userid 1000) id 9E47420834; Wed, 1 Mar 2017 14:57:54 +0100 (CET)
Date: Wed, 01 Mar 2017 14:57:54 +0100
From: Thomas Pornin <pornin@bolet.org>
To: Aaron Zauner <azet@azet.org>
Message-ID: <20170301135754.GA16901@bolet.org>
References: <CAOgPGoA0tTmwkcC3CPdgUd=6QNTpTxRT8pkXLD-Yezzh05b+KA@mail.gmail.com> <CABkgnnVTWmwyyBQrTLZ1up09vTfwKpUj_-FriEspEXD5hevshA@mail.gmail.com> <f79b14ab6eaf4ab6b18323b569337583@usma1ex-dag1mb1.msg.corp.akamai.com> <20170222171156.GA31015@LK-Perkele-V2.elisa-laajakaista.fi> <CAOgPGoDtSpwimU_EZvdRmCb_hAVJmTauS62qgPznaZJy6V7mJA@mail.gmail.com> <1CAE4CFE-2A9D-4A8D-93D4-2BA304894F96@gmail.com> <91c7562e92814e3a9ebb57dfa6c59610@usma1ex-dag1mb1.msg.corp.akamai.com> <F64543BE-679E-4CB4-9397-7931FA8C59D9@azet.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <F64543BE-679E-4CB4-9397-7931FA8C59D9@azet.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wckAZm5TMPompVjAHEk4DDNmtTk>
Cc: "draft-ietf-tls-ecdhe-psk-aead@tools.ietf.org" <draft-ietf-tls-ecdhe-psk-aead@tools.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 13:58:28 -0000
On Wed, Mar 01, 2017 at 01:06:27PM +0000, Aaron Zauner wrote: > I don't see why the IoT/embedded-world can't make use of ChaCha/Poly > in future implementations? IF the embedded platform is "generic" (say, it's an ARM Cortex M0+), then ChaCha20 is faster than anything using AES. Poly1305 is less clear because it relies on multiplications and multiplications can be expensive on small microcontrollers; in my own tests with my own implementations, ChaCha20 and Poly1305 run at roughly the same speed on a Cortex M0+ (with the 1-cycle multiplier option). Even a table-based AES (that is, formally "not constant-time", though on a cache-less microcontroller it might be fine nonetheless) will be about twice slower. Similarly, the GHASH part of GCM will be slower than Poly1305 (unless you use big key-dependent tables, which is not constant-time but also rarely doable in small embedded systems, where RAM is a very scarce resource). HOWEVER, there are some microcontrollers with hardware acceleration for AES, e.g. the ESP32 (a popular micrcontroller-with-WiFi) has some circuitry that can do an AES block encryption in 11 clock cycles, which is much faster than ChaCha20. Moreover, in the presence of such hardware, CCM will also be much faster than GCM, the GHASH part becoming prohibitively expensive (relatively to encryption). The push for CCM mainly comes from that kind of hardware. (EAX mode might be even preferable on AES-able hardware, but CCM has a stronger legacy foothold.) --Thomas Pornin
- Re: [TLS] Last call comments and WG Chair review … Joseph Salowey
- Re: [TLS] Last call comments and WG Chair review … Daniel Migault
- [TLS] Last call comments and WG Chair review of d… Joseph Salowey
- Re: [TLS] Last call comments and WG Chair review … Martin Thomson
- Re: [TLS] Last call comments and WG Chair review … Salz, Rich
- Re: [TLS] Last call comments and WG Chair review … Yoav Nir
- Re: [TLS] Last call comments and WG Chair review … Ilari Liusvaara
- Re: [TLS] Last call comments and WG Chair review … Joseph Salowey
- Re: [TLS] Last call comments and WG Chair review … Yoav Nir
- Re: [TLS] Last call comments and WG Chair review … Salz, Rich
- Re: [TLS] Last call comments and WG Chair review … Salz, Rich
- Re: [TLS] Last call comments and WG Chair review … Joseph Salowey
- Re: [TLS] Last call comments and WG Chair review … William Whyte
- Re: [TLS] Last call comments and WG Chair review … William Whyte
- Re: [TLS] Last call comments and WG Chair review … Aaron Zauner
- Re: [TLS] Last call comments and WG Chair review … Thomas Pornin
- Re: [TLS] Last call comments and WG Chair review … Salz, Rich
- Re: [TLS] Last call comments and WG Chair review … Yoav Nir
- Re: [TLS] Last call comments and WG Chair review … Yoav Nir
- Re: [TLS] Last call comments and WG Chair review … Aaron Zauner
- Re: [TLS] Last call comments and WG Chair review … Daniel Migault
- Re: [TLS] Last call comments and WG Chair review … Joseph Salowey