Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: p1619 (disk): ciphertext-stealing, tweak-mapping, other

To: laszlo@xxxxxxx
Subject: Re: p1619 (disk): ciphertext-stealing, tweak-mapping, other
From: David McGrew <mcgrew@xxxxxxxxx>
Date: Wed, 21 Dec 2005 10:13:25 -0800
Cc: SISWG <stds-p1619@xxxxxxxx>
In-Reply-To: <20051221101719.2085768de8214198020ddb7e86a9ac22.1d7ce5069e.wbe@email.email.secureserver.net>
References: <20051221101719.2085768de8214198020ddb7e86a9ac22.1d7ce5069e.wbe@email.email.secureserver.net>
Sender: stds-p1619@xxxxxxxx

Laszlo,

On Dec 21, 2005, at 9:17 AM, laszlo@HARS.US wrote:
>
>>> EME* essentially does two passes of ECB mode AES, plus three  
>>> extra AES calls
> It means, that a parallel implementation can perform all of the ECB  
> mode
> AES calls in the top and bottom row (a latency of 2), plus two of the
> extra AES operations in the leftmost column (Figure 2 of the EME*
> paper). We have a total delay of 4 AES operations, plus change. In  
> case
> of XCB the question boils down to how parallelizable is the GHash
> operation. Because it is a hash function, it is basically sequential,
> is not it?

Actually, GHASH is can be implemented in parallel, using an algebraic  
trick.  See the last paragraph of Section 5 in http://csrc.nist.gov/ 
CryptoToolkit/modes/proposedmodes/gcm/gcm-revised-spec.pdf

> This would give the advantage to EME*, unless there was a
> parallel version of the function h in XCB.
>

You mean advantage in terms of latency, right?  I'm not sure that  
this is the case, since both XCB and EME* need to do one pass over  
the data before any data can be output, and I suspect that the  
circuit depth of those two passes isn't much different.  It would be  
interesting to see a detailed comparison.  For that matter, it would  
be worthwhile to discuss the implementation scenarios enough to get a  
good idea of what the "success criteria" for wide-block modes like  
these are.  (E.g. since all of these modes require the data to be  
buffered, what critical path should be measured?  The path to output  
the first byte, or to output all of the bytes?)

> For sequential implementation the speed relations depend on the  
> speed of
> AES vs. a GHash block operation. A GHash step can be implemented  
> faster
> in HW, cannot it be?

Yes, the GF multiply can be done faster than an AES operation, though  
the details matter a lot.  IIRC a multiply can be done in a single  
clock using a circuit that is about 25% the size of a fully pipelined  
AES implementation.

> That would make the sequential XCB faster. How
> about the royalties?
>

Are we supposed to talk about royalties on an IEEE list?  At any  
rate, there has been a UC Davis statement on EME, but no statement on  
XCB.  ABL is IPR free, but is more costly to implement than the other  
modes.

David

Follow-Ups:
- Re: p1619 (disk): ciphertext-stealing, tweak-mapping, other
  - From: Michael Torla

References:
- RE: p1619 (disk): ciphertext-stealing, tweak-mapping, other
  - From: laszlo

Prev by Date: RE: p1619 (disk): EME disadvantages
Next by Date: RE: p1619 (disk): tweak-computation, other
Prev by thread: RE: p1619 (disk): ciphertext-stealing, tweak-mapping, other
Next by thread: Re: p1619 (disk): ciphertext-stealing, tweak-mapping, other
Index(es):
- Date
- Thread