Hi Willy,
> Also, given the numbers, the most important is not the CPU on the terminal > but what it costs on the server side : the algorithm focuses on devices > that don't have AES hardware acceleration (which I'd call low-end devices), > and in the tests, these devices still get 200-300 Mbps of AES, which is much > beyond what their connectivity allows. > > What this means is that until we reach such speeds, the algorithm is not a > limiting factor on these machines. But if it becomes a limiting factor for > the servers dealing with tens of hundreds of these devices in parallel, then > the choice goes for the fastest *server-side* algorithm which will allow > *all* users to benefit from it at the same time. Adam Langley's original article is far more technical [1]. Pros/Cons of AES-GCM as summarized in that article (quoting): > AES-GCM is great if you have hardware support for it: Haswell chips can > do it in just about 1 cycle/byte. However, it's very much a hardware > orientated algorithm and it's *very* difficult to implement securely in > software with reasonable speed. Also, since TLS has all the infrastructure > for cipher suite negotiation already, it's nice to have a backup in the > wings should it be needed. So this is more about what can be done on such platforms in a secure way with enough performance. I don't think post TLS handshake symmetric encryption performance will be a chokepoint on servers/proxies terminating TLS any time soon. ChaCha20-Poly1305 achieves 4 Gbps (vs 7,2 Gpbs with AES-128-GCM) on Sandy Bridge Xeon. Multiplied with a number of cores, I suspect we have enough server side resources for symmetric encryption. We have more pressing problems with the asymmetric handshakes in high load environments, which in a non-threading, event-loop based architecture blocks the process [2]. Thats why the guys at fastly (CDN and more) run Apache with 96k threads [3]. They can terminate more session on Apache than on nginx by a factor of 5. Regards, Lukas [1] https://www.imperialviolet.org/2014/02/27/tlssymmetriccrypto.html [2] http://forum.nginx.org/read.php?2,245978,249411#msg-249411 [3] http://youtu.be/zrSvoQz1GOs?t=24m45s
