Re: [Cfrg] Hardware requirements for elliptic curves

Alyssa Rowan <akr@akr.io> Thu, 04 September 2014 17:44 UTC

Return-Path: <akr@akr.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B52181A010A for <cfrg@ietfa.amsl.com>; Thu, 4 Sep 2014 10:44:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I6WcqM_cIjs5 for <cfrg@ietfa.amsl.com>; Thu, 4 Sep 2014 10:44:14 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B35BA1A00DC for <cfrg@irtf.org>; Thu, 4 Sep 2014 10:44:14 -0700 (PDT)
Message-ID: <5408A4F0.1090707@akr.io>
Date: Thu, 04 Sep 2014 18:44:16 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: cfrg@irtf.org
References: <85d1c59362684615b0beeea1c2a48dd8@AMSPR04MB518.eurprd04.prod.outlook.com> <828996e7-465b-4c92-b91c-b5604365f986@email.android.com> <12A4E7B4-8303-449F-A04B-8366BBC5B1E3@shiftleft.org> <54086138.6070205@secunet.com>
In-Reply-To: <54086138.6070205@secunet.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/20GnXQIiNAsWutOt2934o3IIZPw
Subject: Re: [Cfrg] Hardware requirements for elliptic curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 17:44:16 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 04/09/2014 13:55, Johannes Merkle wrote:

>> I agree with Alyssa that hardware performance isn’t our concern
>> here.
> I disagree with this oversimplification.

Mm, I do think that's an oversimplification. Let me clarify.

I don't think hardware performance should be _completely_ disregarded
- - merely that it shouldn't be a _primary_ consideration for us (as it
clearly is, for - for example - NIST & NSA, due to their own needs).

• The vast majority of users overall use software crypto
  implementations. That will probably continue, although the exact
  proportion may change. (Heartbleed may indeed encourage increased HSM
  adoption.)

• Many 'hardware crypto' implementations (HSMs/smartcards/etc) I've
  seen myself more closely resemble, or literally are, microcontrollers/
  microprocessors running highly specialist firmware. This approach has
  several advantages: much greater algorithmic agility versus "glacial"
  hardware cycles via firmware updates; the ability for more
  comprehensive side-channel protection; the potential for
  'correctness' proofs of the software, etc.

• Use of actual fixed-function hardware crypto's relatively rare.
  There's lots of (no offence intended) earlier generations of hardware
  with a few conservative iterative changes. (e.g. Hardware RSA/3DES
  /SHA-1/AES, but firmware secp224r1 & secp256r1, to give one concrete
  example: the firmware's actually faster, and I would say has a lower
  side-channel profile.)

• I think any such device implementing anything we choose is most
  likely to be either a brand-new fixed-function implementation (such
  as the X25519 one contributed to cryptech.is?) - in which case it
  isn't glued to a side-channel defence which performs well only with
  random primes (...not even Solinas primes? Hmm...), but can use _new_
  ones which work with whatever we do choose - or it's going to do it
  in the firmware because fixed-function hardware often tends to be,
  fairly, well... _fixed_.

I don't think we should consider ourselves needlessly hobbled by
inflexible, legacy hardware implementations: they are not really our
new recommendations' primary target audience, as much as software is -
and if hardware is, it's likely to be _new_ generations of hardware,
not the old stuff.

So let's pick something which performs well in both software _and_
hardware - and that weighs against random primes, in my estimation.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUCKTwAAoJEOyEjtkWi2t6HLUP/2CN54sYA3+khMrpwJyPilGF
L0ssXhEfPZypacFIiwCgM2X5PPhmS6Zw3szT03UU/NkCtZ8IWUxm7NqPeP9mzq9b
T3/mH6m300dRLLti4evzREzGH79LXfmyK2RVgO8lSpj10+Wjhj+QqkBOwsbC3v2r
ClwNVoqmPa4waIeeeuj7yYBVwjVhBX/vhVivpUOG6T9Fr2HWAJ4UEsjtulTq59gG
UnPHPo8kQY3qh3Gmg+7Of/CVWaZZg1yMSt5JFfnIZ8ISTwAJ4lKWFTRDBqABcj3R
OQk1AiUYzJ7m1nUt9EmCEWcs7FymqGM1+overouLXjxIJooLAossR/1Wa0+WsqP6
bmrSCm2LeSYPovxJfHiGtR0lAtsmcssNBpNo3712XMEdyHwcrLYCfdKLXtq4GhQM
WjuWDBwYkXttUW46xZwEoXAEc7O/r0RDpYW6eSnsyk5cMK51ovq50QRllS0OKmYo
Rog070IXsbEcmxJTO12YKl8P6E45XlVmJyzOxVoitde8ffmVn/DWtQwkTWd7N7dS
FrBzBhedUMN7ZFPkawGMsaNoyl/Zw7uTQA83LRcEz01FO5dIHBa9lQlWvbJLuSCX
dnblJo1cUa29rqLvyGJhCu90UCZYy6jX0Jj9ku0KcXpxVg3eiECVvtSQpCL85fp6
MV/Ofu3nz88RH18elQv7
=0P76
-----END PGP SIGNATURE-----