On Sep 14, 2010, at 2:18 38PM, Zooko O'Whielacronx wrote:
> following-up to my own post:
>
> On Tue, Sep 14, 2010 at 8:54 AM, Zooko O'Whielacronx <[email protected]> wrote:
>>
>> Also, even if you did have a setting where the CPU cost of HMAC-SHA1
>> was a significant part of your performance (at e.g. 12 cycles per byte
>> [1]), then you could always switch to Poly1305 or VMAC (at e.g. 2
>> cycles per byte), or to an authenticated encryption mode (effectively
>> zero cycles per byte?).
>
> Hm, actually [1] shows AES-GCM (an authenticated encryption mode)
> running at 16 cycles per byte, compared to AES-CTR's 13 cycles per
> byte, so we can estimate the CPU cost of switching from
> unauthenticated encryption to authenticated encryption at about 3
> cycles per byte, similar to using VMAC.
>
Given the failures from not authenticating your encryption -- I pointed out
many in IPsec in 1996, but examples are as recent as this week
(http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310#)
I think that we shouldn't waste our time and coding effort supporting
unauthenticated encryption.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
