[Cryptography] Key meshing (Re: [Crypto-practicum] Retire all 64-bit block ciphers.)

[Ray Dillinger]

On 08/30/2016 09:22 AM, Phillip Hallam-Baker wrote:

> Of course with DES you have the problem of weak keys but these days we
> consider weak keys as disqualifying a cipher completely.
> 
> The main reason for not doing this seems to be that the key schedule has to
> be recalculated and that was expensive for DES. But that shouldn't be a
> major problem on a modern CPU.


Depends on how much and how often.  Servers in big server clusters
are pretty precisely tuned in terms of how many connections they serve;
what doesn't impose a detectable penalty on a desktop machine, still
matters in terms how many servers you need to handle ten thousand
simultaneous sessions.

In response to your question, almost every Feistel-type cipher has
poor key agility.  The construction you mention, if deployed and
used for general purposes as a symmetric cipher, would multiply
the cost of servers by a non-trivial amount.

For a few brief years, the advance of CPUs was vastly in advance
of the available bandwidth. The desktop machine that pegged its
CPU for a few seconds of each day was the design target, and CPU
costs didn't really matter.  But now it matters again because
bandwidth allows people running servers to use all the CPU they
can afford.

For a few brief years, the advance of CPUs didn't permit them to
be battery-powered under normal circumstances. The desktop machine
with a plug in a wall socket was the design target, and CPU costs
didn't really matter.  But now it matters again because CPUs have
gotten small enough to run on batteries, but battery power still
limits CPU cycles.

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160830/2ccd3bde/attachment.sig>