[cryptography] "stream MAC" - does anything like it exist?
James A. Donald
jamesd at echeque.com
Tue Sep 14 21:56:46 EDT 2010
On 2010-09-15 4:18 AM, Zooko O'Whielacronx wrote:
> following-up to my own post:
> On Tue, Sep 14, 2010 at 8:54 AM, Zooko O'Whielacronx<zooko at zooko.com> wrote:
>> Also, even if you did have a setting where the CPU cost of HMAC-SHA1
>> was a significant part of your performance (at e.g. 12 cycles per byte
>> ), then you could always switch to Poly1305 or VMAC (at e.g. 2
>> cycles per byte), or to an authenticated encryption mode (effectively
>> zero cycles per byte?).
> Hm, actually  shows AES-GCM (an authenticated encryption mode)
> running at 16 cycles per byte, compared to AES-CTR's 13 cycles per
> byte, so we can estimate the CPU cost of switching from
> unauthenticated encryption to authenticated encryption at about 3
> cycles per byte, similar to using VMAC.
GCM protocol, like arc4, has subtle defects, that require subtle
workarounds in the protocol.
On the other hand, GCM, like arc4, is sufficiently well studied that
they have *found* such subtle defects, giving us some confidence that
more serious defects are absent.
arc4 is easy to do wrong, and notoriously numerous people got it wrong
over and over again, with disastrous results. The same may well happen
More information about the cryptography