Algorithm | Keys tested/s |
DES | 90k |
RC5 | 150k |
TEA | 357k |
Three different cryptographic algorithms were investigated: DES, the Data Encryption Standard of the National Bureau of Standards, defined formally in [NBS88] and informally in [Sch94]; RC5, designed by Ron Rivest, defined in [Riv95]; and TEA, the Tiny Encryption Algorithm, designed by Wheeler and Needham and described in [WN95].
DES is the most important commercially of the three algorithms; it is used every day by the financial industry despite dire warnings [Hel79] of its imminent insecurity. It is implemented much more efficiently in hardware than in software, due to its dependence on bit-level permutations and other constructs not easily described in ``conventional'' high-level programming languages. The typical software speeds listed in table 2 may be compared against Wiener's 50 million key-per-second 1993 hardware implementation [Wie94].
DES is very difficult to express in TIGER until source-language constructs to support bit-permutations are added, and so a reconfigurable implementation of DES was not possible within the scope of this present work. Because of its importance to the financial industry and others, it has commerically-obtainable hardware implementations to which we can compare our paper-study results; our assumption is that DES is not easier to implement than TEA.
RC5 is a cipher proposed by Ron Rivest, which is used in RSA Data Securities' products and in a number of Internet protocols. It was explicitly designed to be simple to implement in software; i.e. no bit permutations are used. Even so, table 2 demonstrates only a 50% speed increase over DES, using highly-optimized versions of both algorithms. The lackluster performance is likely due to key-setup times; Rivest designed a lengthy sub-key generation phase into the algorithm to make brute-force key-searching substantially more difficult without slowing down conventional one-key uses of RC5.
RC5 is a 12-round algorithm, not counting 78 rounds of key setup, making this algorithm difficult to implement non-iteratively. In addition, the wide addition steps required by RC5 are costly to implement quickly in an FPGA; the RC5 algorithm will not fit in the Xilinx XC4010 we are targeting.
TEA is the simplest algorithm of the three; it uses many rounds to counter the simplicity of its round function. The author's claim of triple the speed of DES in software seems to be warranted; table 2 shows a speed-up of closer to four. The wide additions of the algorithm make it likely that the hardware complexity of TEA is comparable to that of DES. The TEA algorithm very nearly fills a Xilinx XC4010 chip; this puts its complexity as (very roughly) 10,000 gates. Eberle's GaAs DES implementation [Ebe93] uses somewhere between 4,000 and 15,000 gates.