Yes agreed, and also when you put this into a product there’s usually a whole bunch more considerations than just the raw numbers of how fast the hardware can execute a given crypto primitive. However I wanted to find an example that was public information since companies are often loath to share details of their hardware designs. Despite the imperfect example hopefully the point was not lost that it’s not uncommon for SHA-256 HMAC to run faster than AES-GCM.
Thanks, --Jack From: Eric Rescorla <e...@rtfm.com> Sent: Thursday, February 11, 2021 6:12 PM To: Jack Visoky <jmvis...@ra.rockwell.com> Cc: John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org>; TLS@ietf.org Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites On Thu, Feb 11, 2021 at 3:08 PM Jack Visoky <jmvis...@ra.rockwell.com<mailto:jmvis...@ra.rockwell.com>> wrote: Hi Eric, I don’t have numbers offhand but I will say that many platforms I have experience with have some sort of HW support, and might include things like DMA. In these cases ChaCha20-Poly1305 is way behind in terms of performance (which is expected as I believe it was mainly targeted to software-only implementations). I’ll anticipate that someone might ask if GCM is not better that SHA-256 with hardware support, and of course I will have to say it depends on the platform. For some cases it will be, and others it will not. Here is a link to some performance numbers which show SHA-256 is faster than GCM https://www.ti.com/lit/an/swra667/swra667.pdf?ts=1613069390182<https://urldefense.com/v3/__https:/www.ti.com/lit/an/swra667/swra667.pdf?ts=1613069390182__;!!JhrIYaSK6lFZ!-6S_R_nnK8VCShKHEDM4SzTQUP6OhRI_3xs9gT162qITF1bi4gMu5gPOGAsjoGT_zMvL$>. In other cases GCM may not be supported on a platform but SHA256 is, of course that’s kind of a strawman but it could occur. I doubt it covers the whole difference, but I'd note that SHA-256 is not the right comparison point, because what you need here is HMAC, which requires nested SHA invocations. This is especially relevant if you have to go back and forth to the hardware each time. -Ekr Note I am not endorsing this platform or affiliated with it in any way, just want to give an example. And it really is just an example, sorry to repeat again but I just want to drive home the point that YMMV on things like this. Thanks, --Jack From: Eric Rescorla <e...@rtfm.com<mailto:e...@rtfm.com>> Sent: Thursday, February 11, 2021 2:51 PM To: Jack Visoky <jmvis...@ra.rockwell.com<mailto:jmvis...@ra.rockwell.com>> Cc: John Mattsson <john.mattsson=40ericsson....@dmarc.ietf.org<mailto:40ericsson....@dmarc.ietf.org>>; TLS@ietf.org<mailto:TLS@ietf.org> Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites On Thu, Feb 11, 2021 at 11:13 AM Jack Visoky <jmvis...@ra.rockwell.com<mailto:jmvis...@ra.rockwell.com>> wrote: Hi John, Eric, Thanks for the input. We will certainly make some changes to the draft regarding the inspection case. However, I can’t support removing the performance/latency information completely, as I have heard from those who have this very concern. That said, we will edit the language to make it clear that this is not true in all cases. Well, the draft just claims that there are latency concerns, but doesn't present details. If you want to make this case, it would be helpful to present performance numbers that show that these ciphersuites are substantially faster than the alternative algorithms (in particular ChaCha20/Poly1305) which is quite fast on many low end platforms. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
