On Wed, Mar 01, 2017 at 01:06:27PM +0000, Aaron Zauner wrote: > I don't see why the IoT/embedded-world can't make use of ChaCha/Poly > in future implementations?
IF the embedded platform is "generic" (say, it's an ARM Cortex M0+), then ChaCha20 is faster than anything using AES. Poly1305 is less clear because it relies on multiplications and multiplications can be expensive on small microcontrollers; in my own tests with my own implementations, ChaCha20 and Poly1305 run at roughly the same speed on a Cortex M0+ (with the 1-cycle multiplier option). Even a table-based AES (that is, formally "not constant-time", though on a cache-less microcontroller it might be fine nonetheless) will be about twice slower. Similarly, the GHASH part of GCM will be slower than Poly1305 (unless you use big key-dependent tables, which is not constant-time but also rarely doable in small embedded systems, where RAM is a very scarce resource). HOWEVER, there are some microcontrollers with hardware acceleration for AES, e.g. the ESP32 (a popular micrcontroller-with-WiFi) has some circuitry that can do an AES block encryption in 11 clock cycles, which is much faster than ChaCha20. Moreover, in the presence of such hardware, CCM will also be much faster than GCM, the GHASH part becoming prohibitively expensive (relatively to encryption). The push for CCM mainly comes from that kind of hardware. (EAX mode might be even preferable on AES-able hardware, but CCM has a stronger legacy foothold.) --Thomas Pornin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls