On 2013-08-26 17:24, Brian Smith wrote:
Conversely, it isn't clear that AES-256 offers any significant security
advantage over AES-128, though it is clearly slower, even on my
AES-NI-equipped Core i7 processor. First, AES-128 has held up pretty well
so that it might just be "good enough" in general.
I ran some measurements on various CPUs, including slow ones, both with and
without AES-NI. The full table is at the end of this email.
It seems that AES-256 is always 25% to 30% slower than AES-128, regardless
of AES-NI, or the CPU family.
With one exception: AESNI on Intel i7. On this CPU, and for block sizes of
16 64, 256 and 1024 bytes, AES-256 is ~80% slower than AES-128. For a block
size of 8192 bytes, AES-256 is 28.7% slower.
The slowest implementation of AES-256 has a bandwidth of 21MBytes/s, which
is probably fast enough for any browser
If performance was the only reason to prefer AES-128, I would disagree with
the proposal. But your other arguments regarding AES-256 not provided
additional security, are convincing.
Secondly, as I already
pointed out in my proposal, some research has shown that AES-256 doesn't
seem to offer much more security than what we understand AES-128 to offer.
See http://www.schneier.com/blog/archives/2009/07/new_attack_on_a.html and
https://cryptolux.org/FAQ_on_the_attacks. Thirdly, when non-constant-time
implementations are used, AES-256 seems to offer more opportunity for
timing attacks than AES-128 does, due to more rounds and larger inputs.
This paper: eprint.iacr.org/2007/318.pdf
On the complexity of side-channel attacks on AES-256
- methodology and quantitative results on cache attacks -
Seems to suggest something similar:
In this paper, we addressed side-channel attacks on AES-256: we
demonstrated with
practical results that the complexity (i.e. resistance) increase with
the number of key
bits is virtually non-existent. In particular, for the cache based
attacks, an attack on
AES-256 is only 6 to 7 times as hard as an attack on AES-128 both in the
required
computing power as in the required number of observations. We used the
cache side-
channel as an example side-channel, but the methodology presented in
this work can
be applied to leverage any other channel and attack AES-256.
However, it refers to software implementations of AES. Do we know if this
result still applies for AESNI?
---
Julien Vehent
http://jve.linuxwall.info
--- Speed measurements of AES on several families of CPUs ---
| type | 16_bytes | 64_bytes | 256_bytes | 1024_bytes |
8192_bytes | CPU
-------+-------------+------------+------------+------------+------------+------------+------------------------------------------
AESNI | aes-128-cbc | 669744.67k | 720971.18k | 754488.83k | 758975.49k |
754668.89k | Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz
AESNI | aes-192-cbc | 580606.16k | 618596.46k | 630121.39k | 630994.60k |
633320.79k | Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz
AESNI | aes-256-cbc | 507602.55k | 534540.84k | 544787.63k | 540530.35k |
543763.11k | Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz
regular| aes-128-cbc | 138017.61k | 150701.59k | 154806.19k | 153791.49k |
156374.36k | Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz
regular| aes-192-cbc | 117436.95k | 126625.64k | 128216.15k | 129753.77k |
130247.34k | Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz
regular| aes-256-cbc | 102283.73k | 109657.30k | 111773.61k | 112319.15k |
112596.31k | Intel(R) Xeon(R) CPU E3-1270 V2 @ 3.50GHz
-------+-------------+------------+------------+------------+------------+------------+------------------------------------------
AESNI | aes-128-cbc | 574168.83k | 612081.11k | 620871.25k | 626095.10k |
623520.43k | Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz
AESNI | aes-192-cbc | 122382.52k | 130687.70k | 136055.47k | 151552.68k |
395365.03k | Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz
AESNI | aes-256-cbc | 111402.54k | 114350.49k | 125160.36k | 174099.46k |
443987.29k | Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz
regular| aes-128-cbc | 28888.35k | 33039.47k | 86861.99k | 127958.36k |
128316.76k | Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz
regular| aes-192-cbc | 24563.96k | 26540.95k | 32132.95k | 36337.66k |
71385.09k | Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz
regular| aes-256-cbc | 21766.37k | 29087.62k | 26345.47k | 25728.00k |
27989.33k | Intel(R) Core(TM) i7-3667U CPU @ 2.00GHz
-------+-------------+------------+------------+------------+------------+------------+------------------------------------------
AESNI | aes-128-cbc | 27391.57k | 42004.99k | 49039.45k | 51120.81k |
51716.10k | Intel(R) Atom(TM) CPU D510 @ 1.66GHz (NO AESNI SUPPORT)
AESNI | aes-192-cbc | 24954.17k | 36496.21k | 41651.46k | 43204.27k |
43677.01k | Intel(R) Atom(TM) CPU D510 @ 1.66GHz (NO AESNI SUPPORT)
AESNI | aes-256-cbc | 22912.58k | 31863.87k | 35590.14k | 36657.49k |
36975.96k | Intel(R) Atom(TM) CPU D510 @ 1.66GHz (NO AESNI SUPPORT)
regular| aes-128-cbc | 34522.99k | 45628.50k | 49484.20k | 51328.34k |
51764.38k | Intel(R) Atom(TM) CPU D510 @ 1.66GHz (NO AESNI SUPPORT)
regular| aes-192-cbc | 25282.32k | 36839.06k | 41828.18k | 43174.91k |
42999.81k | Intel(R) Atom(TM) CPU D510 @ 1.66GHz (NO AESNI SUPPORT)
regular| aes-256-cbc | 27001.24k | 33287.06k | 36142.25k | 36687.53k |
36713.81k | Intel(R) Atom(TM) CPU D510 @ 1.66GHz (NO AESNI SUPPORT)
-------+-------------+------------+------------+------------+------------+------------+------------------------------------------
AESNI | aes-128-cbc | 21972.35k | 22432.02k | 19986.52k | 54965.25k |
69651.11k | Dual-Core AMD Opteron(tm) Processor 2218 HE (NO AESNI SUPPORT)
AESNI | aes-192-cbc | 43595.54k | 39893.61k | 41966.65k | 92596.73k |
55478.95k | Dual-Core AMD Opteron(tm) Processor 2218 HE (NO AESNI SUPPORT)
AESNI | aes-256-cbc | 25274.79k | 44021.48k | 39315.71k | 70429.35k |
76630.23k | Dual-Core AMD Opteron(tm) Processor 2218 HE (NO AESNI SUPPORT)
regular| aes-128-cbc | 40941.87k | 58502.85k | 53042.12k | 146024.77k |
113713.15k | Dual-Core AMD Opteron(tm) Processor 2218 HE (NO AESNI SUPPORT)
regular| aes-192-cbc | 49289.84k | 43287.83k | 41255.08k | 107338.75k |
95267.50k | Dual-Core AMD Opteron(tm) Processor 2218 HE (NO AESNI SUPPORT)
regular| aes-256-cbc | 36972.34k | 25412.58k | 35431.08k | 69077.82k |
56538.32k | Dual-Core AMD Opteron(tm) Processor 2218 HE (NO AESNI SUPPORT)
-------+-------------+------------+------------+------------+------------+------------+------------------------------------------
AESNI | aes-128-cbc | 38460.22k | 62906.84k | 74712.41k | 78896.13k |
80016.73k | VIA Nano processor U2250 (1.6GHz Capable) (NO AESNI SUPPORT)
AESNI | aes-192-cbc | 35513.85k | 51923.54k | 63855.70k | 65230.85k |
67685.03k | VIA Nano processor U2250 (1.6GHz Capable) (NO AESNI SUPPORT)
AESNI | aes-256-cbc | 32564.81k | 48465.32k | 55756.80k | 58061.48k |
58630.14k | VIA Nano processor U2250 (1.6GHz Capable) (NO AESNI SUPPORT)
regular| aes-128-cbc | 53005.31k | 70560.00k | 77292.46k | 79439.87k |
80218.79k | VIA Nano processor U2250 (1.6GHz Capable) (NO AESNI SUPPORT)
regular| aes-192-cbc | 36862.02k | 55805.35k | 64180.39k | 66947.75k |
67619.50k | VIA Nano processor U2250 (1.6GHz Capable) (NO AESNI SUPPORT)
regular| aes-256-cbc | 34020.35k | 49141.57k | 56039.00k | 58044.76k |
58709.33k | VIA Nano processor U2250 (1.6GHz Capable) (NO AESNI SUPPORT)
command:
# echo "- | type 16_bytes 64_bytes 256_bytes 1024_bytes 8192_bytes"; for
cipher in aes-128-cbc aes-192-cbc aes-256-cbc; do echo -n $(echo -n "AESNI |
"; openssl speed -elapsed -evp $cipher 2>/dev/null|grep ^aes); echo " |
$(grep 'model name' /proc/cpuinfo |cut -d ':' -f 2|uniq)";done; for cipher in
aes-128-cbc aes-192-cbc aes-256-cbc; do echo -n $(echo -n "regular | ";
openssl speed -elapsed $cipher 2>/dev/null|grep ^aes); echo " | $(grep 'model
name' /proc/cpuinfo |cut -d ':' -f 2|uniq)";done
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto