"Lucky Green" <shamrock@cypherpunks.to> writes:

Peter wrote:

...

In case anyone's interested, there's a cpu die photo at http://www.sandpile.org/impl/pics/centaur/c5xl/die_013_c5p.jpg showing the amount of real estate consumed by the crypto functions (it's the bottom centre, a bit hard to read the label).

I fail to understand why VIA bothered adding AES support into the CPU. When was AES last the bottleneck on a general-purpose CPU?

Apart from the obvious "what cool thing can we fit in -> <- this much spare die space?", the obvious target is SOHO routers/firewall boxes. My spies tell me that it's already being used in a number of products like this, and the addition of AES will help the process. Hardware SHA-1 in the next rev makes it even better, since you can now do IPsec and SSL tunneling purely in hardware (and then you lose it all again in the crappy Rhine II NIC, but that's another story).

The bottleneck tends to be modular exponentiations, yet VIA failed to include a modular exponentiation engine. Strange.

Not for SOHO use it isn't, the initial handshake overhead is negligible compared to the constant link encryption overhead. The alternative is to do the crypto externally, for which you're paying for an expensive and power- hungry crypto core capable of doing a zillion DH/RSA ops/sec that gets used once every few hours. The alternative is to load or load your standard firewall firmware into a Nehemiah and offload all the crypto and RNG stuff. Peter.