[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)

Jon Callas jon at callas.org
Wed Mar 12 11:56:45 EDT 2014

Hash: SHA1

> Do you have CCM performance numbers to share? Or do you have GCM
> performance numbers for ARM?

No, because there's no one thing.

If you're on a modern Intel processor, GCM is fast. If you're not, it isn't, and how fast it is depends many things in your execution system. If you're doing things in interpreted languages, it goes to hell quickly.

For me, I have a larger concern about GCM brittleness. It's the security properties, not the speed. There are many things that can go wrong and it's hard to get right. This is the essence of Niels Ferguson's commentary in <http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf>.

CCM, in contrast is pretty straightforward. It just requires AES. It lacks the efficiency of OCB, but is *understandable*, which is a really nice property. For standards purposes, it's RFC 3610, and there are similar options for it in TLS as for GCM. It's not great, but it's free of intellectual property, and is understandable and reliable. You know what's in the box. (Yes, OCB is an even better choice, and eventually that might be the real answer. OCB's problem is one that can be fixed by ink on paper -- a better license, or the patent expiring.)

I'm a bit exasperated because yet again, a discussion of security gets turned into a discussion of performance. There are many places where GCM is a really fine mode, but there are many where it is not, and jumping from RC4 to GCM is jumping from a frying pan to another frying pan.

Version: PGP Universal 3.2.0 (Build 1672)
Charset: iso-8859-1


More information about the cryptography mailing list