[cryptography] "stream MAC" - does anything like it exist?

James A. Donald jamesd at echeque.com
Tue Sep 14 21:56:46 EDT 2010

On 2010-09-15 4:18 AM, Zooko O'Whielacronx wrote:
> following-up to my own post:
> On Tue, Sep 14, 2010 at 8:54 AM, Zooko O'Whielacronx<zooko at zooko.com>  wrote:
>> Also, even if you did have a setting where the CPU cost of HMAC-SHA1
>> was a significant part of your performance (at e.g. 12 cycles per byte
>> [1]), then you could always switch to Poly1305 or VMAC (at e.g. 2
>> cycles per byte), or to an authenticated encryption mode (effectively
>> zero cycles per byte?).
> Hm, actually [1] shows AES-GCM (an authenticated encryption mode)
> running at 16 cycles per byte, compared to AES-CTR's 13 cycles per
> byte, so we can estimate the CPU cost of switching from
> unauthenticated encryption to authenticated encryption at about 3
> cycles per byte, similar to using VMAC.

GCM protocol, like arc4, has subtle defects, that require subtle 
workarounds in the protocol.

On the other hand, GCM, like arc4, is sufficiently well studied that 
they have *found* such subtle defects, giving us some confidence that 
more serious defects are absent.

arc4 is easy to do wrong, and notoriously numerous people got it wrong 
over and over again, with disastrous results.  The same may well happen 
with GCM.

More information about the cryptography mailing list