[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)

dj at deadhat.com dj at deadhat.com
Wed Mar 12 14:48:20 EDT 2014

> On Tue, Mar 11, 2014 at 3:02 PM, Jon Callas <jon at callas.org> wrote:
>>> When it comes to Intel's Haswell CPUs, AES-GCM is twice as fast as
>>> ChaCha20.
>> Yes, but the world is not Intel, it's ARM. Meow.
>> The world would be better served by CCM, which can be implemented well
>> even in Javascript than more GCM, which is slow in most places, and is
>> brittle.
> Do you have CCM performance numbers to share? Or do you have GCM
> performance numbers for ARM?
> Krovetz and Rogaway show CCM as slightly slower than GCM on x86, ARM,
> and PowerPC: http://www.cs.ucdavis.edu/~rogaway/papers/ae.pdf
> For x86, this paper predates some of Shay Gueron's GCM optimizations
> which are checked into OpenSSL and the PCLMULQDQ instruction in
> Haswell. GCM is now running at ~1 cycle / byte.

Every CCM implementation I've seen or designed myself in commercial
products has been in hardware.

I like CCM because I can see how it works without needing a degree in
mathematics and because the authors paid attention to how packets are
encoded. I'm one of those that voted OCB off the 802.11i island in favor
of CCM.

If you need many bytes/clock, GCM is the right choice. Hence 802.11i used
CCM whereas 802.1AE (really for 802.3) used GCM since it has to work on
wired protocols.

More information about the cryptography mailing list