<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l,AT,inka,DOT,de
Subject: Re: About Peter Gutmann's critique of CIPE
From: Wolfgang Walter <ml-cipe,AT,studentenwerk,DOT,mhn,DOT,de>
Date: Mon, 29 Sep 2003 21:25:23 +0200
Cc: Olaf Titz <olaf,AT,bigred,DOT,inka,DOT,de>
Organization: Studentenwerk München

> The cipher to use would still have to be pre-arranged, which also
> implies the block length (m) and the checksum (q). The recommended
> standard algorithms would be AES and SHA1.

Instead of using HMAC-SHA1 it may be worth to consider a universal hash 
function which can be implemented very efficently with a FPU. I.e. hash127 
from Dan Bernstein, see


I didn't benchmark it but according to literature a MAC based on h127 and AES 
is about 3 times faster the HMAC-SHA1 for packet size 8KB and at least as 
safe. For smaller packets its much faster.

Another possibility is to use OMAC (version 1 or 2) as MAC. It seems to be as 
fast as HMAC-SHA1. As it is based on AES only one algorithm has to be 
implemented (and optimised for speed). Again, for smaller packets it should 
outperform HMAC-SHA1.

A very fast C-implementation of AES (the fastest I know of) and a very fast 
implementation in assembler (128bit-keys) available under the GPL one can 
find here:


On a pentium 3 the C-version is about 2/3 as fast as blowfish of openssl 
0.9.7b (which is assembler): 18MB/s against 28MB/s. The assembler version 
(the one using MMX) is faster than blowfish (about 42MB/s).

His OMAC (version 1) implementation reaches 26MB/s for 1504 byte packets 
(assembler version using MMX).

Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
Leopoldstraße 15
80802 München
Tel: +49 89 38196-276
Fax: +49 89 38196-144

<< | Thread Index | >> ]    [ << | Date Index | >> ]