Cycle counts for authenticated encryption D. J. Bernstein - - PDF document

cycle counts for authenticated encryption d j bernstein
SMART_READER_LITE
LIVE PREVIEW

Cycle counts for authenticated encryption D. J. Bernstein - - PDF document

Dec 02, 2022 281 likes •324 views

Cycle counts for authenticated encryption D. J. Bernstein http://cr.yp.to /streamciphers /timings.html Standard construction: encrypt with stream cipher; authenticate the ciphertext by appending encrypted hash. How to hash the ciphertext?

slide-1
SLIDE 1

Cycle counts for authenticated encryption

  • D. J. Bernstein

http://cr.yp.to /streamciphers /timings.html

slide-2
SLIDE 2

Standard construction: encrypt with stream cipher; authenticate the ciphertext by appending encrypted hash. How to hash the ciphertext? AES(AES(

1) + 2) + 3;

MD5 with a secret IV; Poly1305, provable, fast; UMAC, faster given SSE2; VMAC, faster given AMD64; Badger; MAC1071; etc. How to encrypt the hash? The same stream cipher; MD5, secret IV; AES; etc.

slide-3
SLIDE 3

Cost of standard construction is cost of stream cipher plus cost of encrypted hash plus various overheads: e.g. cache misses (non-orthogonal). Alternative constructions? eSTREAM solicited schemes. Responses: NLS, Phelix, etc. Is an authenticating cipher, such as Phelix, faster than the standard construction? Previous eSTREAM timings didn’t include hash costs.

slide-4
SLIDE 4

Maybe the fastest AE scheme depends on the situation. Decrypting legitimate packets? Rejecting forged packets? Small packets? Large packets? More packet-size effects? Many keys active at once? Only one key? Pentium III? Pentium 4? Athlon? UltraSPARC III? PowerPC G5? Athlon 64 X2? Core 2 Duo? Let’s measure everything!