Fast IDEA for Pentium MMX compatibles
SIMD is the kind of parallelism where a single instruction operates with
multiple data at the same time. Super-scalar parallelism allows two or more
(possibly different) instructions to be executed in parallel at the same
time. MMX is a relatively new multimedia extension to super-scalar Pentium
family, having a limited version of SIMD. MMX extensions are
incorporated in every new Intel processor, including the processor that is
currently without doubt the most popular -- Pentium II. SIMD parallelism
provided by MMX increases significantly the performance of a very limited
set of so called multimedia applications.
Looking from the cryptographic view of point, there seems to be a very
narrow perspective of using MMX technology to increase the performance of
already existing cryptographic primitives. Reasons are manifold, public key
cryptography (RSA, for example) relys on long multiplication not on parallel
execution of many short multiplications. Most of the block ciphers in
general use are inherently nonparallelisable due to their use of S-boxes
and/or table lookups.
Some primitives, though, are outstandingly suitable for MMX. One of such primitives is IDEA; this is
demonstrated in the following Figure. (The speeds are scaled for an hypothetical 3200 MHz machine, last updated
Nov 13 2000 if not explicitly said otherwise; NB: 1 MB/s=10242 B/s).
|
|
| Block cipher | Block size | Cycles | MBytes/s | Author | Processor
|
|
|---|
| Square | 128
| 192 | 254.4
| Lipmaa
| Pentium II
|
| RC6 | 128
| 219 | 222.8
| Lipmaa | Pentium II/III |  17.05.02
|
| 4-way IDEA | 4x64
| 440 | 222.0
| Lipmaa | Pentium III
|
| Rijndael | 128 | 226
| 216.0 | Lipmaa | Pentium II/III | 04.04.02
|
| Square | 128 | 244 | 200.0 | Bosselaers | Pentium
|
| 4-way IDEA | 4x64
| 543 | 180.0
| Lipmaa | Pentium MMX
|
| SC2000 | 128 | 270
| 180.8 | Lipmaa
| Pentium II/III, gcc (no asm)
| New, 04.04.2002
|
| 4-way IDEA | 4x64
| 554 | 176.4
| Lipmaa | AMD Athlon
| New, 01.10.2003
|
| Twofish | 128 | 277
| 176.4 | Aoki, Lipmaa
| Pentium II/III
|
| Rijndael | 128 | 300 | 162.8 | Gladman | Pentium III
| New, 15.10.2001
|
| Camellia
| 128 | 302 | 161.6
| Aoki | Pentium II/III
|
| MARS | 128
| 306 | 160.0 | Lipmaa
| Pentium II/III
|
| Blowfish | 64 | 158 | 154.4
| Bosselaers | Pentium
|
| RC5-32/16 | 64 | 199 | 122.8
| Bosselaers | Pentium
|
| CAST5 | 64 | 220 | 110.8
| Bosselaers | Pentium
|
| DES | 64 | 340 | 72.0
| Bosselaers | Pentium
|
| IDEA | 64 | 358
| 68.0
| Lipmaa | Pentium MMX
|
| SAFER (S)K-128 | 64 | 418 | 58.4
| Bosselaers | Pentium
|
| Shark | 64 | 585 | 41.6
| Bosselaers | Pentium
|
| IDEA | 64 | 590 | 41.2
| Bosselaers | Pentium
|
| 3DES | 64 | 928 | 26.4
| Bosselaers | Pentium
|
|
|
Why IDEA?
IDEA has been known for the cryptographic community for ten years, and it is still unbroken. Many
cryptographers think, that it is really one of the most secure block ciphers available. However,
IDEA has generally considered also to be a slow cipher (cf Bosselaers' implementation of IDEA
in the last table) due to the costly 16-bit multiplications involved. It is not anymore the
case: by using a Pentium MMX compatible machine, IDEA encryption will be faster than DES,
RC5 or Blowfish encryption --- to name a few other well-known block ciphers.
Compared to leading AES candidates, 4-way IDEA is only a little slower
than RC6 and Rijndael on the Pentium II, but faster than Twofish and MARS.
On the Pentium III, 4-way IDEA is even faster than RC6 and Rijndael.
If one prefers a block cipher with time-proven security margins, IDEA is
definitely the choice over AES algorithms.
However, in the light of the ongoing AES process and the amount of
cryptanalysis applied to the leading AES candidates, especially to the
winner, it might very soon become desirable to switch over to the proposed
AES, Rijndael. To get more information about the AES candidates, click here.
Parallel Encryption Modes
The term "x-way" means that x encryptions/decryptions are
done in parallel. To effectively use such parallel implementation,
special encryption modes have to be used. I've currently implemented
4-interleaved CBC4 and XORC4 modes (the XORC mode is better known as the
counter mode and by a recent analysis of Bellare etc, almost ideally secure
in a random oracle model). The XORC4 mode also provides a significant
memory-time tradeoff: the so called counter may be encrypted beforehand
(``off-line''). Later, ``on-line'', one has only to xor the encrypted
counter with the plaintext. On a 500 MHz Pentium II, CBC4 en/decryption and
XORC4 en/de/precryption can be done in about 260-275 Mbit/s on a 450 MHz
Pentium III.
To further simplify the usage, the CBC1 and XORC1 modes (corresponding to the usual
CBC and counter modes) have been implemented. In this mode, FastIDEA can be seen as a
drop in replacement to the popular OpenSSL library. Since CBC1 decryption and XORC1
encryption (and decryption that is equal to encryption) use internally the 4-way IDEA,
the library achieves almost the same speed in these modes as in the low level CBC4 and
XORC4 modes: about 235-260 Mbit/s. The CBC1 encryption is not parallelizable and
therefore does not achieve such speed.
Availability
More information on this project is available on by email. (for example
if you are interested in commercial use) Note that information on this
page corresponds
to the version 1.1a of the library.
If you want to learn more about my implementations, don't hesitate to
mail to lipmaa(at)cyber.ee. In the mail please specify your
interest! :-)
NEWI have also finished fast implementatios of MARS and
Rijndael, two of the AES finalist ciphers. Information about that can be
obtained from the AES
Speed page or by sending an email to lipmaa(at)cyber.ee.
Comparison with other implementations
Interestingly, the fastest available IDEA hardware coprocessor
runs at 40 MHz and achieves about 300 Mbit/s on the 3-way IDEA mode and
about 100 Mbit/s on the standard IDEA mode. (See links.)
On a 500 MHz Pentium III, my 4-way IDEA implementation achieves 290
Mbit/s, while already on the 550 MHz Pentium III my sotware implementation
is faster than the Ascom hardware implementation. A 866 MHz Pentium III
achieves 500 Mbit/s, which is in the same range as the hardware
implementations of the AES
candidates.
Publications
Other stuff
News
- 12.10.98: added a link to AES Ciphers: Speed.
- 18.10.98: added a link to Libeay.
- 28.10.98: scaled the Mbits/s for a 233 MHZ Pentium II (my new plaything).
- 03.11.98: added information about parallel encryption modes.
- 11.01.99: made the page a bit more informative.
- 01.02.99: scaled the Mbits/s for a 450 MHZ Pentium II (my new plaything).
- 02.04.99: added link to our corporate webpage that has more information
available.
- 10.05.99: corrected the page numbers of the "IDEA: A Cipher..."
publication.
- 07.07.99: added information about the 1.1a version of the library (new
CBC1 and XORC1 API functions).
- 31.01.00: Added information about new implementatios of MARS and
Rijndael.
- 20.03.00: Added information about my implementations of AES
candidates, paragraph 'Why IDEA?' Other small changes.
- 12.04.00: New URL for this page. Number of small changes.
- 22.05.00: Added information about my new Pentium III-specific
implementation. The implementations are now sold by me. (Email me
for more information)
visitors from 28.02.98, 18:00 EET. A totally new version of
this page: 10.08.98.
Helger
Lipmaa