- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Wed, 18 Dec 2013 09:26:11 -0800
- To: Matthew Kerwin <matthew@kerwin.net.au>
- Cc: Patrick McManus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 17 December 2013 17:43, Matthew Kerwin <matthew@kerwin.net.au> wrote: > * coming back to my understanding that decrypting the entire thing is pretty > expensive, but calculating a checksum/hash and decrypting that is cheaper. > If that's an incorrect assumption then please correct me. That's not a perfect assumption. It's certainly true for TLS modes where encryption and authentication form different steps, such as with AES CBC + HMAC modes. On the other hand, AES-GCM doesn't require running a hash over the entire message, the MAC is effectively just a byproduct of encryption (not really, but you might consider it as such), so in that case I believe it to be faster to encrypt and authenticate than to just authenticate. I'm told that with AES-NI instructions on recent CPUs GCM is about as fast as memcpy, and it runs the same order number of operations as HMAC. I'm not aware of a pure hash function that works as quickly, and one that is even close to available in the same way.
Received on Wednesday, 18 December 2013 17:26:39 UTC