[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
MAC speeds
D. J. Bernstein writes:
> Tero Kivinen reports a time of 154000 cycles (308 microseconds) for
> HMAC-MD5 on 2048 bytes on a 500MHz Alpha.
BTW, that compilation was without optimizations, i.e for debugging
compilation. When using fully optimized compilation the speed for 2048
byte HMAC-MD5 is 140 microseconds.
With bigger blocks the speed of the HMAC-MD5 is about 29 MB/sec
compared to the 2 MB/sec for 3des. That 29 MB/sec gives about 16
cycles / byte. For that shorter buffer (2048 bytes) the speed is 34
cycles / byte. For even shorter buffer (256 bytes) the speed drops to
53 cycles / byte (the constant overhead of the HMAC algorithm grows
quite large at that point).
> That's slower than today's fast ciphers, notably the AES candidates,
> which are below 40 cycles/byte. Some people seem to be making decisions
> on this basis.
The speed of the AES ciphers in our library are:
twofish 12 MB/sec 40 cycles/byte
rc6 10 MB/sec 48 cycles/byte
mars 8 MB/sec 60 cycles/byte
rijndael 10 MB/sec 48 cycles/byte
So if change my previous mail to use numbers from the optimizated
compilation:
----------------------------------------------------------------------
If we assume IKE SA is using 3des-md5, then the speeds are about
following:
1) md5(last-cbc-block || message-id) = 3 µs
3des-cbc of one block = 5 µs
3des-cbc of the rest of the blocks = 21 µs
in total it is going to be 8 µs + 21 µs + 15 µs.
2) Hmac-md5 of 64 bytes = 15 µs.
I.e in the DoS case you are saving for 7 µs, but in addition you need
to do the extra decryption for the rest of the packet, so for each
valid packet you waste 29 µs (total decryption time + the IV
generation time).
If the packet contains 200 byte spi list payload also, then the timing
is going to be:
1) md5(last-cbc-block || message-id) = 3 µs
3des-cbc of one block = 5 µs
3des-cbc of the rest of the blocks = 107 µs
in total it is going to be 8 µs + 107 µs + 27 µs.
2) Hmac-md5 of 256 bytes = 27 µs
I.e in the DoS case you are saving for for 19 µs, but you are then
wasting the 115 µs for each valid packet.
For blowfish-cbc and md5 the values in the case 1 are little bit
different:
1) md5(last-cbc-block || message-id) = 3 µs
blowfish-cbc of one block = 1 µs
blowfish-cbc of the rest of the blocks = 4 µs
So for the DoS case you save 11 µs for the DoS packet and do only 8 µs
extra work for valid packet.
For the larger packet the numbers are:
1) md5(last-cbc-block || message-id) = 3 µs
blowfish-cbc of one block = 1 µs
blowfish-cbc of the rest of the blocks = 19 µs
And for DoS case you save 23 µs, and you loose 23 µs in the valid
packet case.
--
kivinen@iki.fi Work : +358-9-4354 3218
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/
References: