Re: About Peter Gutmann's critique of CIPE|
Wolfgang Walter <ml-cipe,AT,studentenwerk,DOT,mhn,DOT,de>|
Mon, 29 Sep 2003 21:25:23 +0200|
Olaf Titz <olaf,AT,bigred,DOT,inka,DOT,de>|
> The cipher to use would still have to be pre-arranged, which also
> implies the block length (m) and the checksum (q). The recommended
> standard algorithms would be AES and SHA1.
Instead of using HMAC-SHA1 it may be worth to consider a universal hash
function which can be implemented very efficently with a FPU. I.e. hash127
from Dan Bernstein, see
I didn't benchmark it but according to literature a MAC based on h127 and AES
is about 3 times faster the HMAC-SHA1 for packet size 8KB and at least as
safe. For smaller packets its much faster.
Another possibility is to use OMAC (version 1 or 2) as MAC. It seems to be as
fast as HMAC-SHA1. As it is based on AES only one algorithm has to be
implemented (and optimised for speed). Again, for smaller packets it should
A very fast C-implementation of AES (the fastest I know of) and a very fast
implementation in assembler (128bit-keys) available under the GPL one can
On a pentium 3 the C-version is about 2/3 as fast as blowfish of openssl
0.9.7b (which is assembler): 18MB/s against 28MB/s. The assembler version
(the one using MMX) is faster than blowfish (about 42MB/s).
His OMAC (version 1) implementation reaches 26MB/s for 1504 byte packets
(assembler version using MMX).
Anstalt des öffentlichen Rechts
Tel: +49 89 38196-276
Fax: +49 89 38196-144