jedisct1
commented
9 months ago How about something like:
Setup-free.
Using a new key incurs either no overhead or negligible overhead compared to the reuse of a previous key. Overhead may involve additional computations or increased storage space, such as for precomputing a key schedule.
Examples of AEADs that do not require setup include ChaCha20-Poly1305 and ASCON-AEAD.
AndAlBo
Using a new key in AES requires computing a key schedule.
With software implementations of AES-GCM, for every new key, this also requires precomputing powers of the authentication key in order to get decent GHASH performance.
ISAP has (intentionally) a very slow setup function.
ChaChaPoly, on the other hand, has a negligible key setup cost and doesn't require anything besides the initial state.
I'm not sure how to express that, but maybe it would be nice to document in the implementation properties the fact that an AEAD doesn't have any overhead for using a new key vs reusing an existing one.