> On Dec 16, 2014, at 7:28 PM, Hanno Böck <ha...@hboeck.de> wrote: > > On Tue, 16 Dec 2014 17:17:01 +0000 > Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > >> However, where do we fit ChaCha20/Poly-1305? Again, not >> hand-placement, but some extensible algorithm. > > How about this simpler criterion: > AEAD always beats non-AEAD. GCM and poly1305 are both AEAD. Done with > it. > > (this doesn't answer whether chacha20-poly1305 or aes-gcm should be > considered "better", but I don't know if there is a clear consensus on > that)
Agree about AEAD before non-AEAD. As for ChaCha20 vs AES-GCM, as long as we don’t have evidence that on is significantly weaker than the other, I don’t think preferences should depend on security arguments, but on performance. Unfortunately , this is difficult to determine, because AES-GCM is faster on modern Intel processors, but slower on older processors and on ARM. It really depends on the application which is preferable. If we don’t want preference to be user-determined, I guess AES-GCM is more likely to be the preferred cipher for most servers. Yoav _______________________________________________ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
