pem-dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: CBC*3 flame

1993-06-01 10:27:00
from [Carl Ellison] [Permanent Link] 
Date:  Mon, 31 May 93 16:03 EDT
From: TCJones(_at_)DOCKMASTER(_dot_)NCSC(_dot_)MIL
Subject:  CBC*3 flame
Message-Id:  <930531200338(_dot_)300252(_at_)DOCKMASTER(_dot_)NCSC(_dot_)MIL>



Sorry, but you're mistaking total latency for throughput by ignoring

the > pipelining of the (DES-CBC)**3 case.  [The 3 DES chips, in this
case, are > operating simultaneously on 3 different 8-byte groups of
input.  They can > not do so in the (DES**3)-CBC case.]


I'm sorry that this is labeled a flame.  It was a performance analysis
(or rather, the table of expressions which followed was).


Single chips exist today which will do a EDE encryption IN A SINGLE
OPERATION.  It turns out that this chip is also quite fast.  I might
consider using such a chip in a product that I would design, due
primarily to its speed and flexibility.


You might -- but it still obeys the equations I gave.


There are no single chips that could do a CBC*3 today, there is no
application that allows a CBC*3 today, and there is no reason to imagine
that such a three chip design for CBC*3 could be integrated into a
design that could do any other known security algorithm.


It is easy to imagine a three chip design for (DES-CBC)**3 being used
to implement both EDE2 ECB style (by selecting ECB rather than CBC in
all three chips) and to implement (DES-CBC)**1 by using (k1, k2, k2).


In this context, the I/O requirements of CBC*3 would three times worse
than possible with the existing EDE chip.  In the case of single chip
ECB DES, then CBC*3 would be no better than EDE, assuming that the x-or
operation is nearly free.


Please read and understand the performance analysis.  Latency is higher for
(DES-CBC)**3 than for EDE2-CBC but throughput is significantly better for
(DES-CBC)**3.  This applies not only to actual three-chip implementations
but also to any (not yet designed) chip which offers to do EDE and CBC in
one chip.

I appreciate your desire to have PEM not make stupid decisions which will 
affect later requirements or applicability.  That's precisely why I'm raising
the warning flag about performance.

(DES-CBC)**3 outperforms (DES**3)-CBC by about a factor of 3 in throughput
and always will (for comparable implementations).  (DES-CBC)**3 outperforms
(EDE2)-CBE, but by less than a factor of 3 because of chip I/O times.

 - Carl
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: CBC*3 flame, Carl Ellison <=
Previous by Date:  PEM CRL registration for storage in X.500 databases, Dan Nessett
Next by Date:  Re: PEM CRL registration for storage in X.500 databases, Mike Roe
Previous by Thread:  PEM CRL registration for storage in X.500 databases, Dan Nessett
Next by Thread:  Privacy Enhanced Mail available via anonymous FTP, James M Galvin
Indexes:  [Date] [Thread] [Top] [All Lists]