[147502] in cryptography@c2.net mail archive
[Cryptography] Performance vs security
daemon@ATHENA.MIT.EDU (John Kelsey)
Sat Oct 5 10:36:15 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <D38209BF-EB74-4922-8F40-28CDB2B2CAD5@lrw.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Fri, 4 Oct 2013 11:26:39 -0400
To: Jerry Leichter <leichter@lrw.com>
Cc: Ray Dillinger <bear@sonic.net>,
"cryptography@metzdowd.com List" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
There are specific algorithms where you have a pretty clear-cut security/performance tradeoff. RSA and ECC both give you some choice of security level that has a big impact in terms of performance. AES and SHA2 and eventually SHA3 offer you some secuirty level choices, but the difference in performance between them is relatively unimportant in most applications. Probably the coolest thing about Keccak's capacity parameter is that it gives you an understandable performance/security tradeoff, but the difference in performance between c=256 and c=512 will probably not be noticable in 99% of applications.
Then there are algorithms that give you higher performance at the cost of more fragility. The example I can think of here is GCM, which gives you a pretty fast authenticated encryption mode, but which really loses security in a hurry if you reuse an IV.
It seems like these two kinds of security/performance tradeoffs belong in different categories, somehow.
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
