[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

MAC speeds

To: "D. J. Bernstein" <djb@cr.yp.to>
Subject: MAC speeds
From: Tero Kivinen <kivinen@ssh.fi>
Date: Fri, 10 Mar 2000 01:27:16 +0200 (EET)
Cc: ipsec@lists.tislabs.com
In-Reply-To: <20000309001035.28083.qmail@cr.yp.to>
Organization: SSH Communications Security Oy
References: <1FD60AE4DB6CD2118C420008C74C27B81D0518@baltimore.com><006101bf830a$020c37d0$1e0101c8@ANDREWK2.TIMESTEP><200003071655.SAA23058@torni.ssh.fi><20000309001035.28083.qmail@cr.yp.to>
Sender: owner-ipsec@lists.tislabs.com

D. J. Bernstein writes:
> Tero Kivinen reports a time of 154000 cycles (308 microseconds) for
> HMAC-MD5 on 2048 bytes on a 500MHz Alpha.

BTW, that compilation was without optimizations, i.e for debugging
compilation. When using fully optimized compilation the speed for 2048
byte HMAC-MD5 is 140 microseconds.

With bigger blocks the speed of the HMAC-MD5 is about 29 MB/sec
compared to the 2 MB/sec for 3des. That 29 MB/sec gives about 16
cycles / byte. For that shorter buffer (2048 bytes) the speed is 34
cycles / byte. For even shorter buffer (256 bytes) the speed drops to
53 cycles / byte (the constant overhead of the HMAC algorithm grows
quite large at that point). 

> That's slower than today's fast ciphers, notably the AES candidates,
> which are below 40 cycles/byte. Some people seem to be making decisions
> on this basis.

The speed of the AES ciphers in our library are:

twofish		12 MB/sec		40 cycles/byte
rc6		10 MB/sec		48 cycles/byte
mars		8 MB/sec		60 cycles/byte
rijndael	10 MB/sec		48 cycles/byte

So if change my previous mail to use numbers from the optimizated
compilation:
----------------------------------------------------------------------
If we assume IKE SA is using 3des-md5, then the speeds are about
following:

1)      md5(last-cbc-block || message-id) = 3 盜
        3des-cbc of one block = 5 盜
        3des-cbc of the rest of the blocks = 21 盜

in total it is going to be 8 盜 + 21 盜 + 15 盜.

2)      Hmac-md5 of 64 bytes = 15 盜.

I.e in the DoS case you are saving for 7 盜, but in addition you need
to do the extra decryption for the rest of the packet, so for each
valid packet you waste 29 盜 (total decryption time + the IV
generation time).

If the packet contains 200 byte spi list payload also, then the timing
is going to be:

1)      md5(last-cbc-block || message-id) = 3 盜
        3des-cbc of one block = 5 盜
        3des-cbc of the rest of the blocks = 107 盜

in total it is going to be 8 盜 + 107 盜 + 27 盜.

2)      Hmac-md5 of 256 bytes = 27 盜

I.e in the DoS case you are saving for for 19 盜, but you are then
wasting the 115 盜 for each valid packet.

For blowfish-cbc and md5 the values in the case 1 are little bit
different:

1)      md5(last-cbc-block || message-id) = 3 盜
        blowfish-cbc of one block = 1 盜
        blowfish-cbc of the rest of the blocks = 4 盜

So for the DoS case you save 11 盜 for the DoS packet and do only 8 盜
extra work for valid packet.

For the larger packet the numbers are:

1)      md5(last-cbc-block || message-id) = 3 盜
        blowfish-cbc of one block = 1 盜
        blowfish-cbc of the rest of the blocks = 19 盜

And for DoS case you save 23 盜, and you loose 23 盜 in the valid
packet case.
-- 
kivinen@iki.fi                               Work : +358-9-4354 3218
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/

References:

RE: Use of Encryption in Heartbeat Packets

From: Tero Kivinen <kivinen@ssh.fi>

MAC speeds

From: "D. J. Bernstein" <djb@cr.yp.to>

Prev by Date: I-D ACTION:draft-ietf-ipsec-ike-hash-revised-01.txt
Next by Date: VPN traffic and Firewall traffic in the same 'box'
Prev by thread: Re: MAC speeds
Next by thread: Re: MAC speeds
Index(es):
- Main
- Thread