[Ach] The sad story of lonely AES-CTR

robin.balean at a-trust.at robin.balean at a-trust.at
Wed Dec 18 15:23:04 CET 2013

This is an interesting paper and actually they give the answer to your question on page 5.  In fact GCM is just CTR mode with Galois Hash for authentication.  It doesn't say why AES-CTR with other MAC algorithms are not supported.  Nevertheless they do state on page 30: 
"AES-GCM is the best performing Authenticated Encryption combination among the NIST standard options (esp. compared to using HMAC SHA-1)"


-----Ursprüngliche Nachricht-----
Von: Aaron Zauner [mailto:azet at azet.org] 
Gesendet: Mittwoch, 18. Dezember 2013 14:20
An: Robin Balean
Cc: ach at lists.cert.at List Mailing
Betreff: Re: [Ach] The sad story of lonely AES-CTR


See: https://crypto.stanford.edu/RealWorldCrypto/slides/gueron.pdf (current - Intel + haifa university)

cycle/byte performance of AES-CTR seems to be significantly better, as I suspected. Hashing isn’t that instensive either, would be faster even if the HMAC hoggs 5-8cylces/byte, which is not the case. So AES-CTR is a very good option (also for non-Intel processors).

• The ultimate goal: achieve AES-GCM at the performance of CTR+ ε “””


More information about the Ach mailing list