Mike,
Subject: Re: Triple DES on PEM WG Agenda
Date: Sat, 19 Jun 93 00:57:24 +0100
From: Mike Roe <Michael(_dot_)Roe(_at_)cl(_dot_)cam(_dot_)ac(_dot_)uk>
Message-Id: <"swan.cl.cam.:210560:930618235731"@cl.cam.ac.uk>
You're right -- we were making completely different base assumptions.
I'm glad to have discovered that difference. It was incredibly frustrating
to be caught in that trap.
I agree that if the speed of the silicon is the bottle-neck, 3 feedback
loops can be 3 times faster. In situations where we're really pushing the
silicon (Asynchronous Transfer Mode link encryptors come immediately to mind),
then you have a persuasive argument for 3 feedback loops.
I would still claim that for the sort of machines people are running PEM
on (eg. Un*x boxes and PCs), it isn't going to make a lot of difference.
However, I may be wrong --- some real measurements would be useful here!
I agree that for PEM we probably don't need the speed which link encryptors
do. However, in software implementations (at least with Stratus DES S/W
but I'd assume it's true for other implementations), it's faster to do
DES-CBC over a large block of data than to call for DES in ECB mode for
each 64-bit word and do that repeatedly. So, even at PEM speeds, I see a
reason for 3-loop operation.
What bothers me is that if we establish a definition for DES**3-CBC, we're
in danger of establishing it for the world.
So -- I come back to suggesting that we define all the brands (2 & 3 key; 1
and 3 IV; 1 and 3 loop) -- come up with names for all eight -- then choose
to implement only one of them. But, whatever we do, we shouldn't call the
one we choose to implement "triple-DES-CBC", as if we had ruled out the
other possibilities. We need to use a name for it that doesn't claim to be
*the* definition of CBC mode for triple-DES (or *the* definition for
triple-DES, for that matter). The standard definition needs to be done by
some group at some time but the link encryptor folks will need to be happy
with it too, I assume. From this standard, hardware might be built.
And, coming back to PEM, I still advocate 3 loops for software performance
reasons and to encourage what I believe is a proper definition of
triple-DES-CBC. However, I no longer push for 3 different keys and 3
different IVs, for PEM.
I would like to see a "standard" definition of triple-DES-CBC to be given
as 3-loop, 3 key, 3 IV. If PEM were to decide to keep k_1 = k_3 and IV_1 =
IV_2 = IV_3, then that's PEM's business -- as long as the triple-DES-CBC
itself is defined as taking (k_1, k_2, k_3, IV_1, IV_2, IV_3) as
parameters.
So -- how about names for the following product set?
|double-key| |3-loop-CBC| |E-D-E| |1 IV|
|triple-key| |1-loop-CBC| |E-E-E| |3 IV|
[with PEM choosing to implement
DoubleKey-3loopCBC-1IV-EDE
perhaps.]
- Carl