[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: new second mandatory IPsec cipher



On Tue, 13 Jul 1999, Sandy Harris wrote:
> I don't think it is for IPSEC, though. Blowfish needs extra
> setup time on every key change to generate the random s-boxes...
> Also, since the s-boxes are different for every key, an IPSEC
> box using Blowfish has to store 4K bytes of s-box material
> per connection. this would be problematic for some.

There is a time-space tradeoff here:  *either* you need extra setup time
on every key change to recompute the S-boxes, *or* you need a chunk of
memory for each active key to store them.  You don't need both.  If you
decide to opt for the extra memory consumption -- a fairly easy decision
for most users nowadays, since 4KB of memory costs almost nothing -- then
the setup time must be paid only at rekeying time, when an old key is
replaced by a new one.  That's fairly infrequent for most users. 

> Schneier himself says (p 336 AC II):
>   Blowfish is optimised for applications where the key does
>   not change often ... not suitable for applications, such
>   as packet switching, with frequent key changes...

He's assuming early-1990s memory prices, which (arguably) made it painful
to store the S-boxes for each connection.  That assumption is now invalid,
so don't take the book as gospel.

In fairness, CAST probably does have some practical advantage here; I just
don't think it's as large as Sandy suggests. 

                                                          Henry Spencer
                                                       henry@spsystems.net
                                                     (henry@zoo.toronto.edu)


Follow-Ups: References: