[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Some crypto timings



I thought it might be useful to report on the execution speeds of some
of the 386/486 assembler implementations of DES, IDEA and MD5 I've been
working on lately.

The IDEA code is by Colin Plumb, who write it for PGP. In keeping with
the IDEA algorithm, it uses all 16-bit operations.  The DES code is by
myself, based on Richard Outerbridge's C code in "Applied
Cryptography". It uses lots of 32-bit operations.  The MD5 code is
from RSAREF 2.0, but with my assembler replacement for the core
MD5Transform() function. It uses 32-bit operations almost exclusively.
I also rewrote the MD5Update() C function to avoid a memory copy in
the common case of hashing a well-sized and well-aligned buffer.

I've tested these routines on several machines, but for a consistent
basis of comparison I'll give the times for my 50 Mhz 486 running DOS
in real mode. The C compiler is Borland C++ 3.1. Special care was
taken to ensure proper alignment of all long memory objects, since
this version of the compiler does not do this.

On this machine, single-key DES encrypts or decrypts at 2.78
megabits/sec, IDEA does 2.344 megabits/sec, and MD5 hashes at 19.32
megabits/sec.

Observations and comments:

The MD5 and DES code run even faster in 32-bit protected mode, because
of their heavy use of 32-bit operations. In 16-bit real mode, every
32-bit operation takes an "override" prefix and an extra clock to
execute. (The DES code does 4.44 megabits/sec on a 486-DX2-66 running
BSDI).

IDEA's somewhat disappointing performance is due to its heavy use of
integer multiplies. 16x16 integer multiplies on the 486 take 13-26
clocks, considerably better than some earlier Intel CPUs (the 8088/86
took 113-118 clocks) but nowhere near that of a DSP that can do it in
one clock.

But the IDEA code does only 16-bit operations and will run on an 8086,
while the DES and MD5 code takes considerable advantages of the 32-bit
registers on the 386 and 486.  So I wouldn't be too surprised if IDEA
were to outperform DES on the older CPUs.

And of course, comparing IDEA to single-key DES is a little
unfair. Triple DES should run a little better than 1/3 the speed of
single DES since the initial and final permutations only have to be
done once. IDEA would still have the advantage here.

MD5 hashing is something like 7 times the speed of DES, the fastest
cipher. So it still looks like a good idea to encrypt before adding
the authenticator rather than the reverse to minimize the
vulnerability of your system to being swamped by bogus packets in a
denial-of-service attack.

I haven't timed it yet, but it does seem that a MD5-based cipher would
likely outperform single key DES. Using the MD5Transform() function as
the core of a cipher involves a 4:1 speed penalty over using it as a
hash function (each call to MD5Transform() takes 64 bytes but produces
only 16 bytes), but that still leaves a 1.75:1 advantage over DES. And
the effective key would be much larger.

Phil