Re: iSCSI Some Thoughts on Digests

["Steven M. Bellovin" <smb@research.att.com>]

In message <007201c06139$841172a0$cb08efd0@giganet.com>, "Jim Williams" writes:
>As a chip designer let me underscore this issue.
>Existing cryptographic message integrity check
>algorithms, specifically hmac-sha1, hmac-sha-96,
>hmac-md5, and hmac-md5-96
>WILL NOT SCALE to 10Gb in silicon.
>
>These algorithms are designed to be quite efficient
>in software, but they are highly serialized allowing
>little opportunity for pipelining or parallelization
>in hardware.  Each step of the algorithm requires
>the previous step to complete before it can start.
>
>This of course does not preclude designing silicon
>that has multiple slower units operating on multiple
>blocks in parallel, but this is an excessively complicated
>and non cost effective way to design chips.

At the recent NIST (Cryptographic) Modes of Operation workshop, there 
were a lot of hardware designers who agreed:  cipher block chaining and 
MD5 (or SHA) are inherently sequential, and can't easily be speeded up. 
In particular, you can't execute either in parallel.  There were some 
proposals, including one from IBM, for combined encryption/
authentication algorithms that could, in fact, be parallelized, and 
hence would be capable of much higher speeds.  (You can find a 
non-technical press release on the IBM work at 
http://www.ibm.com/news/2000/11/30.phtml; I don't know if any technical 
details are available on the Web.  I do know that IBM would like their 
scheme to be adopted, but I advised them that the IETF Security Area 
was unlikely to go along until there had been sufficient review by the 
cryptographic community.)

		--Steve Bellovin