To: | cipe-l,AT,inka,DOT,de |

Subject: |
Re: About Peter Gutmann's critique of CIPE |

From: | Wolfgang Walter <ml-cipe,AT,studentenwerk,DOT,mhn,DOT,de> |

Date: | Mon, 29 Sep 2003 21:25:23 +0200 |

Cc: | Olaf Titz <olaf,AT,bigred,DOT,inka,DOT,de> |

Organization: | Studentenwerk München |

>The cipher to use would still have to be pre-arranged, which also>implies the block length (m) and the checksum (q). The recommended>standard algorithms would be AES and SHA1.Instead of using HMAC-SHA1 it may be worth to consider a universal hash function which can be implemented very efficently with a FPU. I.e. hash127 from Dan Bernstein, see http://cr.yp.to/hash127.html I didn't benchmark it but according to literature a MAC based on h127 and AES is about 3 times faster the HMAC-SHA1 for packet size 8KB and at least as safe. For smaller packets its much faster. Another possibility is to use OMAC (version 1 or 2) as MAC. It seems to be as fast as HMAC-SHA1. As it is based on AES only one algorithm has to be implemented (and optimised for speed). Again, for smaller packets it should outperform HMAC-SHA1. A very fast C-implementation of AES (the fastest I know of) and a very fast implementation in assembler (128bit-keys) available under the GPL one can find here: http://fp.gladman.plus.com/AES/index.htm On a pentium 3 the C-version is about 2/3 as fast as blowfish of openssl 0.9.7b (which is assembler): 18MB/s against 28MB/s. The assembler version (the one using MMX) is faster than blowfish (about 42MB/s). His OMAC (version 1) implementation reaches 26MB/s for 1504 byte packets (assembler version using MMX). Greetings, -- Wolfgang Walter Studentenwerk München Anstalt des öffentlichen Rechts EDV Leopoldstraße 15 80802 München Tel: +49 89 38196-276 Fax: +49 89 38196-144 http://www.studentenwerk.mhn.de/