On Wed, Mar 01, 2017 at 01:06:27PM +0000, Aaron Zauner wrote:
> I don't see why the IoT/embedded-world can't make use of ChaCha/Poly
> in future implementations?
IF the embedded platform is "generic" (say, it's an ARM Cortex M0+),
then ChaCha20 is faster than anything using AES. Poly1305 is less clear
because it relies on multiplications and multiplications can be
expensive on small microcontrollers; in my own tests with my own
implementations, ChaCha20 and Poly1305 run at roughly the same speed on
a Cortex M0+ (with the 1-cycle multiplier option). Even a table-based
AES (that is, formally "not constant-time", though on a cache-less
microcontroller it might be fine nonetheless) will be about twice
slower. Similarly, the GHASH part of GCM will be slower than Poly1305
(unless you use big key-dependent tables, which is not constant-time but
also rarely doable in small embedded systems, where RAM is a very scarce
resource).
HOWEVER, there are some microcontrollers with hardware acceleration for
AES, e.g. the ESP32 (a popular micrcontroller-with-WiFi) has some
circuitry that can do an AES block encryption in 11 clock cycles, which
is much faster than ChaCha20. Moreover, in the presence of such
hardware, CCM will also be much faster than GCM, the GHASH part becoming
prohibitively expensive (relatively to encryption). The push for CCM
mainly comes from that kind of hardware.
(EAX mode might be even preferable on AES-able hardware, but CCM has
a stronger legacy foothold.)
--Thomas Pornin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
