Phil Karn wonders where all the speed comes from in reports of fast software DES. I believe that the really fast DES variants use extremely large computed-at-key-init S-box tables. As I recall, these implementations tend to pay for it in terms of setup time, which makes them less that completely appropriate for multiple IP encryption, each with its own key and where only a few dozen encryptions are done per packet. The cost to change keys is paid for either in use of memory for multiple precomputed S-box sets (an attendant swapping) or in a high key-setup to encryption ratio. For a link cipher where the key doesn't change much, these fast implementations are right. For a situation where keys change frequently, they may not be a system win. Thanks to Perry Metzger for alerting me to this issue. Eric