Re: [Cfrg] Hardware requirements for elliptic curves
Andy Lutomirski <luto@amacapital.net> Thu, 04 September 2014 17:57 UTC
Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D75D1A016B for <cfrg@ietfa.amsl.com>; Thu, 4 Sep 2014 10:57:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VecH7Y_xb5xD for <cfrg@ietfa.amsl.com>; Thu, 4 Sep 2014 10:57:45 -0700 (PDT)
Received: from mail-la0-f50.google.com (mail-la0-f50.google.com [209.85.215.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1FAF1A0123 for <cfrg@irtf.org>; Thu, 4 Sep 2014 10:57:44 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id mc6so12475932lab.9 for <cfrg@irtf.org>; Thu, 04 Sep 2014 10:57:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=KTvOqaei6KX89re88Bgj/EviWAyRm4vvsAPQlLFy6R0=; b=X4yYrIK3aJW1pLPdjy4pmsI3CfiuXICozu3rnkHRx/mi1Jt6ExLB9+aX5iImBMCn+L jq8C1q3EYtxwjyIS4Zme6ToolU7pDNFF77rSUmuolGWDwLFIzOlVaamTqo0ERLRgEnK7 ML0pFokfXibVOi8zWKqUOblDG+XLONDaFXYCgPnxtxuu3QG9tET4Pq6DObcHfp4mcPA8 xCfdvx9M76RpmkRQTKKIW9Qw1D3g2Ay6V8YaKHA0o4F7Pe5bDcxIk2y4NBIuZp+NCJ1S ZiEbrqPHXgCTb7+7VVq9ZxLQJWLug6rxkpKwph37TVshPn8pR/QabYuXYg4pYoMfzO6H Hcyg==
X-Gm-Message-State: ALoCoQkqfw10fJoJty6x3gfo9ABpQ0aBErXOq+b4E9vJQ+5K31qL3W/07vLFoxljVw5BycKY3ZTQ
X-Received: by 10.112.50.230 with SMTP id f6mr6002055lbo.56.1409853462557; Thu, 04 Sep 2014 10:57:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.36.106 with HTTP; Thu, 4 Sep 2014 10:57:22 -0700 (PDT)
In-Reply-To: <5408A4F0.1090707@akr.io>
References: <85d1c59362684615b0beeea1c2a48dd8@AMSPR04MB518.eurprd04.prod.outlook.com> <828996e7-465b-4c92-b91c-b5604365f986@email.android.com> <12A4E7B4-8303-449F-A04B-8366BBC5B1E3@shiftleft.org> <54086138.6070205@secunet.com> <5408A4F0.1090707@akr.io>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 04 Sep 2014 10:57:22 -0700
Message-ID: <CALCETrXM0X92k-YCF6Xs2t3P09T1rVr9u2Na+b=qnwp0-Hq7iQ@mail.gmail.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/DSZBFn055wOQybylQTC2wdMMGUw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Hardware requirements for elliptic curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 17:57:46 -0000
On Thu, Sep 4, 2014 at 10:44 AM, Alyssa Rowan <akr@akr.io> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 04/09/2014 13:55, Johannes Merkle wrote: > >>> I agree with Alyssa that hardware performance isn’t our concern >>> here. >> I disagree with this oversimplification. > > Mm, I do think that's an oversimplification. Let me clarify. > > I don't think hardware performance should be _completely_ disregarded > - - merely that it shouldn't be a _primary_ consideration for us (as it > clearly is, for - for example - NIST & NSA, due to their own needs). > > • The vast majority of users overall use software crypto > implementations. That will probably continue, although the exact > proportion may change. (Heartbleed may indeed encourage increased HSM > adoption.) > > • Many 'hardware crypto' implementations (HSMs/smartcards/etc) I've > seen myself more closely resemble, or literally are, microcontrollers/ > microprocessors running highly specialist firmware. This approach has > several advantages: much greater algorithmic agility versus "glacial" > hardware cycles via firmware updates; the ability for more > comprehensive side-channel protection; the potential for > 'correctness' proofs of the software, etc. > To add to this point, I expect that we'll see a lot more adoption of hardware-protected software crypto in the relatively near future. This could involve tricks like using TrustZone on phones (not open-source friendly, essentially unauditable, and inflexible) or virtual tokens using Intel SGX (IMO a vastly superior solution). For this type of hardware-protected security, the performance considerations will be almost exactly the same as for software crypto. --Andy
- [Cfrg] Hardware requirements for elliptic curves Joppe Bos
- Re: [Cfrg] Hardware requirements for elliptic cur… Alyssa Rowan
- Re: [Cfrg] Hardware requirements for elliptic cur… Michael Hamburg
- Re: [Cfrg] Hardware requirements for elliptic cur… Johannes Merkle
- Re: [Cfrg] Hardware requirements for elliptic cur… Michael Hamburg
- Re: [Cfrg] Hardware requirements for elliptic cur… Alyssa Rowan
- Re: [Cfrg] Hardware requirements for elliptic cur… Andy Lutomirski
- Re: [Cfrg] Hardware requirements for elliptic cur… Robert Ransom
- Re: [Cfrg] Hardware requirements for elliptic cur… Lochter, Manfred
- Re: [Cfrg] Hardware requirements for elliptic cur… Johannes Merkle
- Re: [Cfrg] Hardware requirements for elliptic cur… Wieland.Fischer
- Re: [Cfrg] Hardware requirements for elliptic cur… Alyssa Rowan
- Re: [Cfrg] Hardware requirements for elliptic cur… Watson Ladd
- Re: [Cfrg] Hardware requirements for elliptic cur… Patrick Georgi
- Re: [Cfrg] Hardware requirements for elliptic cur… Paul Lambert
- Re: [Cfrg] Hardware requirements for elliptic cur… Torsten Schuetze
- Re: [Cfrg] Hardware requirements for elliptic cur… Torsten Schuetze
- Re: [Cfrg] Hardware requirements for elliptic cur… Andy Lutomirski
- Re: [Cfrg] Hardware requirements for elliptic cur… Mike Hamburg
- Re: [Cfrg] Hardware requirements for elliptic cur… Torsten Schuetze
- Re: [Cfrg] Hardware requirements for elliptic cur… Watson Ladd
- Re: [Cfrg] Hardware requirements for elliptic cur… Mike Hamburg
- Re: [Cfrg] Hardware requirements for elliptic cur… Alyssa Rowan
- Re: [Cfrg] Hardware requirements for elliptic cur… Lochter, Manfred
- Re: [Cfrg] Hardware requirements for elliptic cur… Alyssa Rowan
- Re: [Cfrg] Hardware requirements for elliptic cur… Dirk Feldhusen
- Re: [Cfrg] Hardware requirements for elliptic cur… Lochter, Manfred
- Re: [Cfrg] Hardware requirements for elliptic cur… Ilari Liusvaara
- Re: [Cfrg] Hardware requirements for elliptic cur… Watson Ladd
- Re: [Cfrg] Hardware requirements for elliptic cur… Peter Gutmann
- [Cfrg] Trusting government certifications of cryp… D. J. Bernstein
- Re: [Cfrg] Trusting government certifications of … David Jacobson
- Re: [Cfrg] Trusting government certifications of … Torsten Schütze
- Re: [Cfrg] Trusting government certifications of … Watson Ladd
- Re: [Cfrg] Trusting government certifications of … Dirk Feldhusen
- Re: [Cfrg] Trusting government certifications of … Michael Hamburg
- Re: [Cfrg] Trusting government certifications of … Dirk Feldhusen
- Re: [Cfrg] Trusting government certifications of … Lochter, Manfred
- Re: [Cfrg] Trusting government certifications of … Mike Hamburg
- Re: [Cfrg] Primes vs. hardware side channels David Leon Gil
- [Cfrg] Primes vs. hardware side channels D. J. Bernstein
- Re: [Cfrg] Primes vs. hardware side channels Alyssa Rowan