Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead

Thomas Pornin <> Wed, 01 March 2017 13:58 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 78C2B12947D for <>; Wed, 1 Mar 2017 05:58:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id H1GooyEZDWAH for <>; Wed, 1 Mar 2017 05:58:27 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 103301293F3 for <>; Wed, 1 Mar 2017 05:58:27 -0800 (PST)
Received: by (Postfix, from userid 1000) id 9E47420834; Wed, 1 Mar 2017 14:57:54 +0100 (CET)
Date: Wed, 1 Mar 2017 14:57:54 +0100
From: Thomas Pornin <>
To: Aaron Zauner <>
Message-ID: <>
References: <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Cc: "" <>, "" <>
Subject: Re: [TLS] Last call comments and WG Chair review of draft-ietf-tls-ecdhe-psk-aead
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Mar 2017 13:58:28 -0000

On Wed, Mar 01, 2017 at 01:06:27PM +0000, Aaron Zauner wrote:
> I don't see why the IoT/embedded-world can't make use of ChaCha/Poly
> in future implementations?

IF the embedded platform is "generic" (say, it's an ARM Cortex M0+),
then ChaCha20 is faster than anything using AES. Poly1305 is less clear
because it relies on multiplications and multiplications can be
expensive on small microcontrollers; in my own tests with my own
implementations, ChaCha20 and Poly1305 run at roughly the same speed on
a Cortex M0+ (with the 1-cycle multiplier option). Even a table-based
AES (that is, formally "not constant-time", though on a cache-less
microcontroller it might be fine nonetheless) will be about twice
slower. Similarly, the GHASH part of GCM will be slower than Poly1305
(unless you use big key-dependent tables, which is not constant-time but
also rarely doable in small embedded systems, where RAM is a very scarce

HOWEVER, there are some microcontrollers with hardware acceleration for
AES, e.g. the ESP32 (a popular micrcontroller-with-WiFi) has some
circuitry that can do an AES block encryption in 11 clock cycles, which
is much faster than ChaCha20. Moreover, in the presence of such
hardware, CCM will also be much faster than GCM, the GHASH part becoming
prohibitively expensive (relatively to encryption). The push for CCM
mainly comes from that kind of hardware.

(EAX mode might be even preferable on AES-able hardware, but CCM has
a stronger legacy foothold.)

	--Thomas Pornin