AES Key Agility Issues in High-Speed IPsec Implementations
May 15, 2000
Some high-speed IPsec hardware systems need to support many thousands of security associations.
The cost of switching among different encryption keys can dramatically affect throughput, particularly
for the very common case of small packets. Three of the AES finalists (Rijndael, Serpent, and Twofish)
provide very high key agility, as is required for such applications. The other two candidates (MARS,
RC6) exhibit low key agility and may not be appropriate for use in such equipment.
Keywords: cryptography, block cipher, AES, key agility, IPsec, performance.
The ultimate winner of the AES “contest” will be
used in many different applications, with widely
varying cost and performance constraints. IPsec will
almost certainly adopt AES, dramatically speeding
up software implementations over the currently pre-
dominant algorithm (triple-DES).
In high-speed routers and other networking boxes
that apply IPsec [KA98c, KA98a, MG98a, MG98b,
MD98, KA98b, Pip98, MSST98, HC98, GK98,
TDG98, PA98] to aggregated traffic, hardware en-
cryption is almost always necessary to meet per-
formance objectives. For some applications, such
equipment may have to handle thousands or tens
of thousands of security associations. In such envi-
ronments, the cost of switching between encryption
keys for different security associations may be a sig-
nificant issue, particularly for the important case of
small packets (e.g., 64 bytes).
This paper attempts to quantify the key agility of
each AES candidate algorithm and assess the per-
formance impact of this metric on high-performance
2 Why IPsec?
Although encryption can be used in many places in
the Internet, the focus in this paper is on IPsec be-
cause of its unique characteristics. First, as noted
above, it is often employed in contexts where hard-
ware implementations are useful. Second, it is in
some sense an extreme case in that it requi