That's not really true. Remember that all the algorithms are implemented in hardware inside the CEX cards. The hardware is so fast that all the algorithms are essentially the same speed, relative to the rest of the time which is spent in software and communications. If you look at the performance numbers in the document Greg Boyd referenced, you'll see that triple-DES (TDES) is actually FASTER than AES in this system. Where you would expect AES to be faster is when the algorithms are implemented in software, and where there is no additional overhead like communications to a separate device.
Here are some of the numbers from that performance document. For each algorithm, it shows performance in kbytes/second from a host application program, for three different sizes of input data that you are encrypting. (This table probably gets messed up depending on whether you are displaying in fixed or proportional fonts - sorry about that.) Algorithm 64 bytes 64K bytes 1M bytes ------------ ----------- ------------ ----------- TDES 161 13372 14000 AES-256 149 9645 9995 AES-128 148 9822 10191 I'm not sure why the AES performance is lower on System z than TDES, since performance numbers from a recent version of the card firmware running on System x Linux show the opposite - here are those numbers, where I have separate data for AES using the older fixed-length key token structures and using the newer variable-length key tokens. Algorithm 64 bytes 64K bytes 1M bytes ------------ ----------- ------------ ----------- TDES 199 53202 68770 AES-128 (fixed) 209 60277 73840 AES-128 (variable) 206 57546 73090 AES-256 (fixed) 211 61315 71790 AES-256 (variable) 203 57361 72840 So, the same card running under Linux in a System x server does indeed have AES numbers greater than TDES numbers - but by a very small amount. For those who are curious, I suspect the large-block performance on System x is so much higher because that system allows us to send more data to the crypto card at a time - meaning there are fewer calls to the card than on System z, where it is chopped into smaller packets. Todd Arnold IBM Cryptographic Coprocessor development ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
