Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!husc6!sri-unix!rutgers!bellcore!faline!karn
From: karn@faline.bellcore.com (Phil R. Karn)
Newsgroups: sci.crypt
Subject: Re: Design for a DES-breaker
Message-ID: <1483@faline.bellcore.com>
Date: Sat, 17-Oct-87 18:08:04 EDT
Article-I.D.: faline.1483
Posted: Sat Oct 17 18:08:04 1987
Date-Received: Sun, 18-Oct-87 22:38:57 EDT
References: <7449@reed.UUCP-> <1409@osiris.UUCP> <289@apr.UUCP> <6491@apple.UUCP>
Organization: Bell Communications Research, Inc
Lines: 19
Summary: each round requires a table lookup

> I'm not sure that this is true. What happens at each stage is a permutation
> and an xor. If each stage doesn't have to share the permutation logic, then
> its simply wires, not lots of wires + a 16 way mux

Each round in DES involves an expansion, exclusive-OR, a ROM table
lookup (the S-boxes) followed by a permutation (P-boxes) and then
another exclusive-OR.  Except for the Initial Permutation (IP) and
Reverse Initial Permutation (IP-1) which you could factor out of the
algorithm and do once externally, *all* of the work in encrypting and
decrypting has to be repeated at each round.  You also need to generate
different sub-keys for each round. So I think an estimate of 16x chip
area for a pipelined DES chip over a non pipelined version is reasonable.

While wires may be "free" in terms of propagation time, they are not at all
free in terms of chip area. Complicated wire crossings like the P boxes
in DES may take up a considerable amount of real estate, making the chip
much less dense than a regular device like a RAM.

Phil