Re: [Cfrg] ECC reboot

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 23 October 2014 18:17 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C7051A9100 for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 11:17:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hkq2k4wymoy for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 11:17:38 -0700 (PDT)
Received: from mail-la0-x234.google.com (mail-la0-x234.google.com [IPv6:2a00:1450:4010:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A02B71A8ACC for <cfrg@irtf.org>; Thu, 23 Oct 2014 11:17:37 -0700 (PDT)
Received: by mail-la0-f52.google.com with SMTP id hz20so1321513lab.25 for <cfrg@irtf.org>; Thu, 23 Oct 2014 11:17:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=lME3CFMPDvciV1IoJWSzEQK4NrgFOHJiNqHaVfof62I=; b=FIvyNNHlN4nhmjTuEa8ObT5an+Q9bdkswYK55woaqoIhqUJuGkcOja4TtsVaSye42G HOnmUn/049RFP0BSmmZigbmt+7EJNzs872RlHhiFSzIHh5s/4gPXtwgSDyKJtRZjwMuf YG+oT05K5Bkud/v9dD8uXLneUdGplV7yVU3tHrbm14pZEjy6Tp5bLa8LfowDoEwbKrEv XdkDiSlv6BlshtzdvTOVdGDdQtNGWY6GqNGvio4MOBihYbFFlw6o4gPjeeSHNtlpDDYt 5Hhsag2LY9I1TnqjSePHzEI4v0OLM28Vyrx3VZt8e4orqKfA5PFmqEAQ8oDADVg1zUH/ Az1Q==
MIME-Version: 1.0
X-Received: by 10.112.28.75 with SMTP id z11mr6785341lbg.49.1414088255507; Thu, 23 Oct 2014 11:17:35 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.66.196 with HTTP; Thu, 23 Oct 2014 11:17:35 -0700 (PDT)
In-Reply-To: <CALCETrWjR4ROJJFBTo-zAVUg6t50ppm0O_fd=gf2tCr8-evDwg@mail.gmail.com>
References: <D065A817.30406%kenny.paterson@rhul.ac.uk> <54400E9F.5020905@akr.io> <CAMm+LwhVKBfcfrXUKmVXKsiAMRSTV+ws+u07grmxkfnR2oYJoQ@mail.gmail.com> <5218FD35-E00A-413F-ACCB-AA9B99DEF48B@shiftleft.org> <m3r3y6z3z8.fsf@carbon.jhcloos.org> <CA+Vbu7x4Y_=JZ9Ydp=U5QnJokL28QMQnV4XUn9S6+CUZR9ozEw@mail.gmail.com> <5444D89F.5080407@comodo.com> <90C609A5-ECB2-4FDC-9669-5830F3463D2B@akr.io> <5448DBE2.10107@comodo.com> <CACsn0cne95adtTbCf6WyAZGyCSyLXo5L0302rm7238yHAsE5EQ@mail.gmail.com> <54493DB1.5070204@akr.io> <CALCETrWjR4ROJJFBTo-zAVUg6t50ppm0O_fd=gf2tCr8-evDwg@mail.gmail.com>
Date: Thu, 23 Oct 2014 14:17:35 -0400
X-Google-Sender-Auth: u4q9R-gc28QRKhaKjooRXM1tXOs
Message-ID: <CAMm+Lwi-X5_Bh-dwe54uzratLzpds=719F=hzpATCME4wDqxhA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Andy Lutomirski <luto@amacapital.net>
Content-Type: multipart/alternative; boundary=001a1133eca626964a05061b14e6
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/40zPv5UXLEzq9U4PYiA0ieI-QH4
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] ECC reboot
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 18:17:39 -0000

On Thu, Oct 23, 2014 at 1:49 PM, Andy Lutomirski <luto@amacapital.net>
wrote:

> On Thu, Oct 23, 2014 at 10:41 AM, Alyssa Rowan <akr@akr.io> wrote:
> >> How long do you think it would take to make an HSM that supports
> >> our choice?
> >
> > Depends: from what I've seen a few HSMs are flexible enough to run
> > whatever we choose. (I'll refrain from discussion of specific vendors:
> > it is for them to speak up if they wish.)
>
> This seems like a good time to point out that Intel SGX is coming
> soon.  With SGX, some performance-critical HSM applications could be
> replaced with hardware-assisted secure *software* enclaves on
> supported Intel chips.
>
> For this application, the relevant factors will be software speed
> (because it's just x86 software), freedom from timing attacks, and
> freedom from secrets being leaked in memory access patterns.
>
> Some users might require certification, but there will be no
> additional hardware development effort whatsoever to add new curves.
>

And the AVX-512 extensions provide 512 bit native registers.

I don't think it very likely we can persuade any chip vendor to lay down
extra signal lines for 521 bits and if they did a 1024 bit data path we
would be looking at using all of it, not just 9 extra bits.

256 and 512 bit wide paths are already starting to appear of their own
accord as a multipurpose feature.