[cryptography] "stream MAC" - does anything like it exist?

Steven Bellovin smb at cs.columbia.edu
Tue Sep 14 14:27:24 EDT 2010


On Sep 14, 2010, at 2:18 38PM, Zooko O'Whielacronx wrote:

> following-up to my own post:
> 
> On Tue, Sep 14, 2010 at 8:54 AM, Zooko O'Whielacronx <zooko at zooko.com> wrote:
>> 
>> Also, even if you did have a setting where the CPU cost of HMAC-SHA1
>> was a significant part of your performance (at e.g. 12 cycles per byte
>> [1]), then you could always switch to Poly1305 or VMAC (at e.g. 2
>> cycles per byte), or to an authenticated encryption mode (effectively
>> zero cycles per byte?).
> 
> Hm, actually [1] shows AES-GCM (an authenticated encryption mode)
> running at 16 cycles per byte, compared to AES-CTR's 13 cycles per
> byte, so we can estimate the CPU cost of switching from
> unauthenticated encryption to authenticated encryption at about 3
> cycles per byte, similar to using VMAC.
> 
Given the failures from not authenticating your encryption -- I pointed out many in IPsec in 1996, but examples are as recent as this week (http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310#) I think that we shouldn't waste our time and coding effort supporting unauthenticated encryption.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb








More information about the cryptography mailing list