On Tue, Sep 14, 2010 at 08:54:36AM -0700, Zooko O'Whielacronx wrote: > Also, even if you did have a setting where the CPU cost of HMAC-SHA1 > was a significant part of your performance (at e.g. 12 cycles per byte > [1]), then you could always switch to Poly1305 or VMAC (at e.g. 2 > cycles per byte), or to an authenticated encryption mode (effectively > zero cycles per byte?).
As far as I know the only authenticated mode that is really 'free' is OCB (which requires 1 block cipher operation per block encrypted/authenticated, plus some polynomial operations); others either require two block cipher encryptions per block processed (CCM, EAX, anything else using CBC-MAC) or use a Carter-Wegman MAC (GCM). OCB is patented (though you can use it for free if the software is GPLed, or if you don't care about not being able to use it in the US). Otherwise, your choices seem to be use a CBC-MAC (or HMAC) or a CW MAC (GMAC, UMAC, VMAC, Poly1035, take your pick). -Jack _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
