+1 to Eric.
Re. GCM – one problem it has is catastrophic failure if nonce is mis-/re-used.
Which is why I’d rather see AES-GCM-SIV.
--
Regards,
Uri
There are two ways to design a system. One is to make is so simple there are
obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
- C. A. R. Hoare
From: TLS <[email protected]> on behalf of Eric Rescorla <[email protected]>
Date: Thursday, February 11, 2021 at 18:13
To: Jack Visoky <[email protected]>
Cc: John Mattsson <[email protected]>, "[email protected]"
<[email protected]>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher
Suites
On Thu, Feb 11, 2021 at 3:08 PM Jack Visoky <[email protected]> wrote:
Hi Eric,
I don’t have numbers offhand but I will say that many platforms I have
experience with have some sort of HW support, and might include things like
DMA. In these cases ChaCha20-Poly1305 is way behind in terms of performance
(which is expected as I believe it was mainly targeted to software-only
implementations).
I’ll anticipate that someone might ask if GCM is not better that SHA-256 with
hardware support, and of course I will have to say it depends on the platform.
For some cases it will be, and others it will not. Here is a link to some
performance numbers which show SHA-256 is faster than GCM
https://www.ti.com/lit/an/swra667/swra667.pdf?ts=1613069390182. In other cases
GCM may not be supported on a platform but SHA256 is, of course that’s kind of
a strawman but it could occur.
I doubt it covers the whole difference, but I'd note that SHA-256 is not the
right comparison point, because what you need here is HMAC, which requires
nested SHA invocations. This is especially relevant if you have to go back and
forth to the hardware each time.
-Ekr
Note I am not endorsing this platform or affiliated with it in any way, just
want to give an example. And it really is just an example, sorry to repeat
again but I just want to drive home the point that YMMV on things like this.
Thanks,
--Jack
From: Eric Rescorla <[email protected]>
Sent: Thursday, February 11, 2021 2:51 PM
To: Jack Visoky <[email protected]>
Cc: John Mattsson <[email protected]>; [email protected]
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher
Suites
On Thu, Feb 11, 2021 at 11:13 AM Jack Visoky <[email protected]> wrote:
Hi John, Eric,
Thanks for the input. We will certainly make some changes to the draft
regarding the inspection case. However, I can’t support removing the
performance/latency information completely, as I have heard from those who have
this very concern. That said, we will edit the language to make it clear that
this is not true in all cases.
Well, the draft just claims that there are latency concerns, but doesn't
present details. If you want to make this case, it would be helpful to present
performance numbers that show that these ciphersuites are substantially faster
than the alternative algorithms (in particular ChaCha20/Poly1305) which is
quite fast on many low end platforms.
-Ekr
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
