[3364] in cryptography@c2.net mail archive
Key setup time a real issue for IPSEC? Or not?
daemon@ATHENA.MIT.EDU (Ron Rivest)
Thu Sep 24 15:44:29 1998
Date: Thu, 24 Sep 1998 13:44:32 -0400
From: Ron Rivest <rivest@theory.lcs.mit.edu>
To: cryptography@c2.net
John Kelsey says about the AES criteria:
"There are some applications for which key agility is really
important. IPSec is one example."
I'm not convinced that this is accurate.
What is the distribution of IPSEC packet sizes that one can expect?
I asked Jim Gettys this question. (Jim works with the World Wide
Web Consortium down the hall from me here at the Lab for Computer Science,
and is the lead designer of the HTTP 1.1 web protocol.)
Jim said that it is reasonable to take 512 bytes as a plausible average
packet size today, and that this average should be going up over time
as people move from HTTP 1.0 to HTTP 1.1.
With a packet size of 512 bytes (32 AES blocks), the overhead for key
setup is only 12.5%, assuming that a key setup takes as much time as
four encryptions (typical for RC6 and some other candidates).
A 12.5% overhead rate for key setup is not a lot.
And of course, this goes down if you can cache the expanded tables of
round keys.
A better figure of merit to use is the total time spent doing
encrypting and key setups. The encryption speed probably ends up
being a bigger component of what you care about in IPSEC than key
setup time. E.g. We could compare AES candidates by the total time
needed to encrypt a 512-byte block, including key setup.
I don't believe that key setup time is terribly important for IPSEC, or
for most other applications. Of course, it *is* very important if you
are doing brute-force key searches...
Cheers,
Ron Rivest
