Jack Lloyd also passed along lots of good comments I'd like to forward (having gained permission) FTR. I've edited them for brevity and pertinence.
Jack Lloyd wrote: > If it's small messages, CCM would probably work pretty well. Personally I think > CCM is really poorly designed (in terms of easy implementation/usage), but take > a look. There is also EAX, which is IMO significantly nicer. There are a ton of > others (most of the ones on the page you link to support encrypt+MAC), but it > seems like EAX and CCM are the only two that are going anywhere (many of the > others are patented and/or rather painful to implement). > > CCM and EAX are both going to be slower than AES+HMAC because they use AES in > some variant of CBC-MAC. Some of the others have faster MACs, mostly ones based > on universal hash functions, but the best of them (OCB in particular) have been > patented.
I'm obviously being naive here ... I had thought that the combined mode would be faster, as it would run through the data once only, and that AES seems to clip along faster than SHA1.
Are you saying that as far as speed goes, I may as well do EAS (using CBC) and add a HMAC on the end?
Or are you saying that only the patented ones manage to deliver the savings we all expect? Hmm, reading about OCB on Phil Rogaway's site does clarify this somewhat. http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm
iang
============== To which jack replied:
>>I'm obviously being naive here ... I had thought that the combined mode would >> be faster, as it would run through the data once only, and that AES seems to >> clip along faster than SHA1.
AFAIK all of the modes that use only one block cipher invocation per block of input are patented. EAX+CCM both use two AES operations per block, and byte-for-byte SHA-1 is 2-5x faster than AES (at least in the implementations I've seen/used/written), so using AES+HMAC is probably going to be faster than AES/EAX or AES/CCM. The obvious exception being boxes with hardware AES chips and slow CPUs (eg, an ARM7 with an AES coprocessor), where AES will of course be much faster than SHA-1.
>> Are you saying that as far as speed goes, I may as well do EAS (using CBC) >> and add a HMAC on the end?
At least on general purpose CPUs, yes.
>> Or are you saying that only the patented ones manage to deliver the savings >> we all expect? Hmm, reading about OCB on Phil Rogaway's site does clarify >> this somewhat. http://www.cs.ucdavis.edu/~rogaway/ocb/ocb-back.htm
Pretty much. Though I just remembered that CWC has not been patented by it's creators, but I wouldn't be at all surprised if it was covered by one of the others. Even CWC is probably slower than AES+HMAC is software, though apparently it's pretty fast in hardware.
-Jack
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
