On 2010-09-15 4:18 AM, Zooko O'Whielacronx wrote:
following-up to my own post:
On Tue, Sep 14, 2010 at 8:54 AM, Zooko O'Whielacronx<[email protected]> wrote:
Also, even if you did have a setting where the CPU cost of HMAC-SHA1
was a significant part of your performance (at e.g. 12 cycles per byte
[1]), then you could always switch to Poly1305 or VMAC (at e.g. 2
cycles per byte), or to an authenticated encryption mode (effectively
zero cycles per byte?).
Hm, actually [1] shows AES-GCM (an authenticated encryption mode)
running at 16 cycles per byte, compared to AES-CTR's 13 cycles per
byte, so we can estimate the CPU cost of switching from
unauthenticated encryption to authenticated encryption at about 3
cycles per byte, similar to using VMAC.
GCM protocol, like arc4, has subtle defects, that require subtle
workarounds in the protocol.
On the other hand, GCM, like arc4, is sufficiently well studied that
they have *found* such subtle defects, giving us some confidence that
more serious defects are absent.
arc4 is easy to do wrong, and notoriously numerous people got it wrong
over and over again, with disastrous results. The same may well happen
with GCM.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
