Re: [Cfrg] Hardware requirements for elliptic curves

[Alyssa Rowan <akr@akr.io>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 04/09/2014 13:55, Johannes Merkle wrote:

>> I agree with Alyssa that hardware performance isn’t our concern
>> here.
> I disagree with this oversimplification.

Mm, I do think that's an oversimplification. Let me clarify.

I don't think hardware performance should be _completely_ disregarded
- - merely that it shouldn't be a _primary_ consideration for us (as it
clearly is, for - for example - NIST & NSA, due to their own needs).

• The vast majority of users overall use software crypto
  implementations. That will probably continue, although the exact
  proportion may change. (Heartbleed may indeed encourage increased HSM
  adoption.)

• Many 'hardware crypto' implementations (HSMs/smartcards/etc) I've
  seen myself more closely resemble, or literally are, microcontrollers/
  microprocessors running highly specialist firmware. This approach has
  several advantages: much greater algorithmic agility versus "glacial"
  hardware cycles via firmware updates; the ability for more
  comprehensive side-channel protection; the potential for
  'correctness' proofs of the software, etc.

• Use of actual fixed-function hardware crypto's relatively rare.
  There's lots of (no offence intended) earlier generations of hardware
  with a few conservative iterative changes. (e.g. Hardware RSA/3DES
  /SHA-1/AES, but firmware secp224r1 & secp256r1, to give one concrete
  example: the firmware's actually faster, and I would say has a lower
  side-channel profile.)

• I think any such device implementing anything we choose is most
  likely to be either a brand-new fixed-function implementation (such
  as the X25519 one contributed to cryptech.is?) - in which case it
  isn't glued to a side-channel defence which performs well only with
  random primes (...not even Solinas primes? Hmm...), but can use _new_
  ones which work with whatever we do choose - or it's going to do it
  in the firmware because fixed-function hardware often tends to be,
  fairly, well... _fixed_.

I don't think we should consider ourselves needlessly hobbled by
inflexible, legacy hardware implementations: they are not really our
new recommendations' primary target audience, as much as software is -
and if hardware is, it's likely to be _new_ generations of hardware,
not the old stuff.

So let's pick something which performs well in both software _and_
hardware - and that weighs against random primes, in my estimation.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUCKTwAAoJEOyEjtkWi2t6HLUP/2CN54sYA3+khMrpwJyPilGF
L0ssXhEfPZypacFIiwCgM2X5PPhmS6Zw3szT03UU/NkCtZ8IWUxm7NqPeP9mzq9b
T3/mH6m300dRLLti4evzREzGH79LXfmyK2RVgO8lSpj10+Wjhj+QqkBOwsbC3v2r
ClwNVoqmPa4waIeeeuj7yYBVwjVhBX/vhVivpUOG6T9Fr2HWAJ4UEsjtulTq59gG
UnPHPo8kQY3qh3Gmg+7Of/CVWaZZg1yMSt5JFfnIZ8ISTwAJ4lKWFTRDBqABcj3R
OQk1AiUYzJ7m1nUt9EmCEWcs7FymqGM1+overouLXjxIJooLAossR/1Wa0+WsqP6
bmrSCm2LeSYPovxJfHiGtR0lAtsmcssNBpNo3712XMEdyHwcrLYCfdKLXtq4GhQM
WjuWDBwYkXttUW46xZwEoXAEc7O/r0RDpYW6eSnsyk5cMK51ovq50QRllS0OKmYo
Rog070IXsbEcmxJTO12YKl8P6E45XlVmJyzOxVoitde8ffmVn/DWtQwkTWd7N7dS
FrBzBhedUMN7ZFPkawGMsaNoyl/Zw7uTQA83LRcEz01FO5dIHBa9lQlWvbJLuSCX
dnblJo1cUa29rqLvyGJhCu90UCZYy6jX0Jj9ku0KcXpxVg3eiECVvtSQpCL85fp6
MV/Ofu3nz88RH18elQv7
=0P76
-----END PGP SIGNATURE-----