[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Counter Mode Security: Analysis and Recommendations

To: "'Alex Alten'" <Alten@attbi.com>, Bob Doud <BDoud@hifn.com>, "'Paul Koning'" <pkoning@equallogic.com>
Subject: RE: Counter Mode Security: Analysis and Recommendations
From: "Mukund, Shridhar" <Shridhar_Mukund@adaptec.com>
Date: Sat, 23 Nov 2002 13:12:39 -0800
Cc: mcgrew@cisco.com, tytso@mit.edu, paul.hoffman@vpnc.org, ipsec@lists.tislabs.com
Sender: owner-ipsec@lists.tislabs.com


Alex(/David),

You have a good point there about the authentication complexity of
say AES-CBC. It does not nicely match with that of Counter-mode-AES.
contd ...

> -----Original Message-----
>...
> Of course there's still the *minor* matter of the hash.  Unless I'm
> mistaken, this still requires linear sequential processing of 
> the packet
> bytes.  Won't this disrupt the tidy flow of parallel blocks?
> 
> Cost is still a factor. Let's say you drive it in total to 
> $25 per chip 
> today.  This is $125 retail + $50 for 1 Gbps Ethernet 
> hardware. That's 
> a tough sell.
> ...
> - Alex

Having said that, simplifying one of them does help silicon 
implementations quite a bit. I hate to get into $ numbers, because 
no matter what we end up integrating, folks like David do not like 
to pay us more than 20-40% margin over the cost of "sand" :-)

Whatever happend to the thoughts around specifying an authentication 
algorithm that used AES-CBC-I (Interleaved CBC)? David, maybe you
should take this up next. I can do some leg work for you. With a 
reasonable degree, instead of just 3, one can do wonders in 
providing head room for run-time vs. space complexity trade-off.

-Shridhar Mukund

Prev by Date: RE: Counter Mode Security: Analysis and Recommendations
Next by Date: RE: draft-ietf-ipsec-pki-profile-01.txt
Prev by thread: RE: Counter Mode Security: Analysis and Recommendations
Next by thread: SIGMA and the cryptographic rationale for IKE exchanges
Index(es):
- Date
- Thread