David McGrew wrote:You mean advantage in terms of latency, right? I'm not sure that this is the case, since both XCB and EME* need to do one pass over the data before any data can be output, and I suspect that the circuit depth of those two passes isn't much different. It would be interesting to see a detailed comparison. For that matter, it would be worthwhile to discuss the implementation scenarios enough to get a good idea of what the "success criteria" for wide-block modes like these are. (E.g. since all of these modes require the data to be buffered, what critical path should be measured? The path to output the first byte, or to output all of the bytes?)I've looked at this to some extent. >From the point of view of an arbitrary block size, XCB is much more costly. To support a block that is larger than the AES hardware accelerator's buffer size, data must be fetched twice. This feature is unique to XCB; I've not seen it in any other mode of any crypto algorithm I've looked at. Having to fetch data twice is very costly. For a block size of 4096 bits, it is reasonable to buffer the entire block within the AES hardware accelerator. So, assuming a block of 4096 bits (512 bytes), computation times are:
Lets assume 16 clock cycles per AES computation and 16 clock cycles per GF Multiply. In that case encrypting takes:
Note this analysis ignores two factors:
mt |
- p1619 (disk): ciphertext-stealing, tweak-mapping, other Shai Halevi
- RE: p1619 (disk): tweak-computation, other Colin Sinclair
- RE: p1619 (disk): tweak-computation, other Shai Halevi
- RE: p1619 (disk): ciphertext-stealing, tweak-mapping, ... laszlo
- RE: p1619 (disk): ciphertext-stealing, tweak-mapping, ... laszlo
- RE: p1619 (disk): ciphertext-stealing, tweak-mapping, ... laszlo
- Re: p1619 (disk): ciphertext-stealing, tweak-mappi... David McGrew
- Re: p1619 (disk): ciphertext-stealing, tweak-m... Michael Torla
- Re: p1619 (disk): ciphertext-stealing, twe... David McGrew
- Re: p1619 (disk): ciphertext-stealing... Michael Torla
- Re: p1619 (disk): ciphertext-stea... David McGrew
- Re: p1619 (disk): ciphertext-stea... Shai Halevi
- RE: p1619 (disk): EME disadvantages Colin Sinclair
- RE: p1619 (disk): ciphertext-stealing, tweak-mapping, ... laszlo