Hardware support for AES but not SHA2 is extremely common. For devices without acceleration, ChaCha20-Poly1305 is likely to be faster than SHA256 (e.g. according to https://www.bearssl.org/speed.html).
Unless your device has hardware offload for SHA256 but _not_ for AES (a
rare combination), you can likely do AEAD faster than these integrity-only
ciphersuites. The draft implies that performance ("latency", "processing
power") is a motivation for using these ciphers. (It also mentions
"runtime memory footprint" and "the need to minimize the number of
cryptographic algorithms used", which are separate considerations.)
On Mon, Feb 8, 2021 at 7:41 PM Peter Gutmann <pgut...@cs.auckland.ac.nz>
wrote:
> Ben Schwartz <bemasc=40google....@dmarc.ietf.org> writes:
>
> >If you are updating the text, I would recommend removing the claim about
> >performance. In general, the ciphersuites specified in the text are
> likely
> >to be slower than popular AEAD ciphersuites like AES-GCM.
>
> Uhh... when is AES-GCM faster than SHA2, except on systems with hardware
> support for AES-GCM and no hardware support for SHA2?
>
> Peter.
>
>
>
>
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
