RE: Counter Mode Security: Analysis and Recommendations

[Alex Alten <Alten@attbi.com>]

At 04:37 PM 11/20/2002 -0800, Bob Doud wrote:
>> >>>>> "David" == David A Mcgrew <mcgrew@cisco.com> writes:
><snip>
>> 
>>  David> 4) is it acceptable to implement AES-192 or AES-256 and use
>>  David> those ciphers for counter mode?  Or is it desirable to use
>>  David> AES-128 for both CBC and counter mode?
>> 
>> I would hate to depend on AES-192 or above, since it's not clear to me
>> how widely those will initialy be implemented in high speed silicon.
>> 
>> 	paul
>
>And let's keep in mind that a fundamental reason that we're pursuing 
>counter mode in the first place is for high-performance as systems 
>move into the multi-Gigabit range.  (Parallelizing the crypto operations
>across multiple engines with staggered counters.) It's safe to say that 
>all hardware and software implementations will be noticably slower with 
>AES-256 than with AES-128.
>
>Bob
>

Really?  And all these expensive parallel hardware engines will still be
effective on the receiving end when packets arrive out of order, are lost,
duplicated or fragmented?  What about interleaved packet streams from 
different hosts? What about hash computations?

And who will buy them?  1 Gigabit/sec cards go for $50 today.  The cheapest
AES chips are $25 each, which is $125 retail.  You will need about 4 of 
them at least.  So now that card becomes a $500 card.  Ten times as expensive.
By the time they become cheap enough the world will be using 10 gigabit/sec
Ethernet.

I think counter mode is interesting for another reason, it is certainly
not speed.

- Alex


--

Alex Alten
Alten@ATTBI.com

"I said be there.  
 And you crushed the stones to be there."  
            - Genghis Khan, 13th century