For smaller messages you should also take in mind that there will be a non-negligible overhead for both GMAC and HMAC constructions.Ībove are general cycle counts on modern 2017-2020 Intel CPU's. Beware that these are optimal results, it's not required that software makes use of these instructions. CPU cycles on IntelĬurrently GMAC scores about 2.33 cycles / byte using the optimized instruction, SHA-256 in software somewhat over 11 cycles / byte but in hardware (Intel SHA extensions), it may be faster at 1.9 cycles / byte (!). Some libraries still have a separate GMAC implementation though. The computation is just GMAC according to the specification. As the lengths together make one 128 bit block, this is relatively efficient. Note that if the ciphertext is empty that the GCM spec will simply hash the padded AAD, the length of the AAD (64 bits) and the length of the ciphertext (64 bits set to zero). However, in software it could actually be slower than other MAC implementations. Modern (AMD 64 compatible) processors have an Intel defined multiplication instruction called PCLMULQDQ to support it (Intel hosted PDF).Ĭommonly GCM is said to have 1.5 passes instead of the actual two to indicate that the MAC pass is faster than what you would commonly expect (the speed depends on the implementation and isn't necessarily 0.5 times the speed of a "normal" MAC). GCM uses GMAC, which can be a relatively fast operation with hardware support. That is, the contrast you bring up between the APIs of AEADs and MACs and use as a premise for your evaluation of the disadvantages of an AEAD-as-MAC construction do reflect very common implementation choices, but beware reading too much into it.Įfficiency is one reason why e.g. a message number as part of the input to the MAC (which is a kind of nonce!), but streaming AEAD constructions like these would get you this sort of protection for free as well. This is often taken care of by higher-level protocols that incorporate e.g. So don't make the mistake of thinking that, because vendor crypto libraries still haven't adopted this approach, therefore all-at-once is always the correct way to use an AEAD, or that having an incremental primitive is more valuable than it really is.Īnd even in a scenario where you only need a MAC, you might still need to worry whether an adversary can cause harm by undetectably reordering, duplicating or deleting the messages in a stream. Something that's becoming increasingly common is for cryptography APIs to offer incremental constructions on top of all-at-once AEADs: Somebody who was involved in NIST's standardization process would need to chime in, but likely they were thinking that it reduces code/circuit size in some applications. Your question almost answers itself, in my opinion: Is there any benefit using an AEAD as a MAC (edit: specifically as a building block in constructs that expects one that behaves like a PRF such as HMAC) other than "it reduces code/circuit size"?Īnd what is (or was) NIST thinking when they acknowledge(d) using AEAD as MAC? So to summarize, MACs derived from AEAD: 1) needs nonce, 2) needs different API (init-update-final) from that of AEAD (all-at-once), and 3) lacks usefulness. And they seems to be specifically instantiated from HMAC and cannot use other MACs, whether artificial like GMAC or associated with the algorithms they come with such as KMAC from SHA3/Keccak or keyed BLAKE2. On the other hand, HMAC has several more application than authenticating messages - HMAC_DRBG, HKDF, to name a few. Web Crypto, Apple CryptoKit) receives input all-at-once - they are not progressively updated. Most (and the correct) API for AEAD implementations (e.g. page 7 section 5.2 of GCM spec, summary for LAEM on page 6 of LWC status report).Īn AEAD algorithm requires a nonce - something that doesn't fit well into the interface of $\text_K(M) \rightarrow T$. I've seen in 2 places where NIST acknowledge the possibility of using AEAD algorithm for MAC (e.g.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |