Re: [Cfrg] Hardware requirements for elliptic curves

Andy Lutomirski <luto@amacapital.net> Thu, 04 September 2014 17:57 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D75D1A016B for <cfrg@ietfa.amsl.com>; Thu, 4 Sep 2014 10:57:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VecH7Y_xb5xD for <cfrg@ietfa.amsl.com>; Thu, 4 Sep 2014 10:57:45 -0700 (PDT)
Received: from mail-la0-f50.google.com (mail-la0-f50.google.com [209.85.215.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1FAF1A0123 for <cfrg@irtf.org>; Thu, 4 Sep 2014 10:57:44 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id mc6so12475932lab.9 for <cfrg@irtf.org>; Thu, 04 Sep 2014 10:57:42 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=KTvOqaei6KX89re88Bgj/EviWAyRm4vvsAPQlLFy6R0=; b=X4yYrIK3aJW1pLPdjy4pmsI3CfiuXICozu3rnkHRx/mi1Jt6ExLB9+aX5iImBMCn+L jq8C1q3EYtxwjyIS4Zme6ToolU7pDNFF77rSUmuolGWDwLFIzOlVaamTqo0ERLRgEnK7 ML0pFokfXibVOi8zWKqUOblDG+XLONDaFXYCgPnxtxuu3QG9tET4Pq6DObcHfp4mcPA8 xCfdvx9M76RpmkRQTKKIW9Qw1D3g2Ay6V8YaKHA0o4F7Pe5bDcxIk2y4NBIuZp+NCJ1S ZiEbrqPHXgCTb7+7VVq9ZxLQJWLug6rxkpKwph37TVshPn8pR/QabYuXYg4pYoMfzO6H Hcyg==
X-Gm-Message-State: ALoCoQkqfw10fJoJty6x3gfo9ABpQ0aBErXOq+b4E9vJQ+5K31qL3W/07vLFoxljVw5BycKY3ZTQ
X-Received: by 10.112.50.230 with SMTP id f6mr6002055lbo.56.1409853462557; Thu, 04 Sep 2014 10:57:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.36.106 with HTTP; Thu, 4 Sep 2014 10:57:22 -0700 (PDT)
In-Reply-To: <5408A4F0.1090707@akr.io>
References: <85d1c59362684615b0beeea1c2a48dd8@AMSPR04MB518.eurprd04.prod.outlook.com> <828996e7-465b-4c92-b91c-b5604365f986@email.android.com> <12A4E7B4-8303-449F-A04B-8366BBC5B1E3@shiftleft.org> <54086138.6070205@secunet.com> <5408A4F0.1090707@akr.io>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 4 Sep 2014 10:57:22 -0700
Message-ID: <CALCETrXM0X92k-YCF6Xs2t3P09T1rVr9u2Na+b=qnwp0-Hq7iQ@mail.gmail.com>
To: Alyssa Rowan <akr@akr.io>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/DSZBFn055wOQybylQTC2wdMMGUw
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Hardware requirements for elliptic curves
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Sep 2014 17:57:46 -0000

On Thu, Sep 4, 2014 at 10:44 AM, Alyssa Rowan <akr@akr.io>; wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> On 04/09/2014 13:55, Johannes Merkle wrote:
>
>>> I agree with Alyssa that hardware performance isn’t our concern
>>> here.
>> I disagree with this oversimplification.
>
> Mm, I do think that's an oversimplification. Let me clarify.
>
> I don't think hardware performance should be _completely_ disregarded
> - - merely that it shouldn't be a _primary_ consideration for us (as it
> clearly is, for - for example - NIST & NSA, due to their own needs).
>
> • The vast majority of users overall use software crypto
>   implementations. That will probably continue, although the exact
>   proportion may change. (Heartbleed may indeed encourage increased HSM
>   adoption.)
>
> • Many 'hardware crypto' implementations (HSMs/smartcards/etc) I've
>   seen myself more closely resemble, or literally are, microcontrollers/
>   microprocessors running highly specialist firmware. This approach has
>   several advantages: much greater algorithmic agility versus "glacial"
>   hardware cycles via firmware updates; the ability for more
>   comprehensive side-channel protection; the potential for
>   'correctness' proofs of the software, etc.
>

To add to this point, I expect that we'll see a lot more adoption of
hardware-protected software crypto in the relatively near future.
This could involve tricks like using TrustZone on phones (not
open-source friendly, essentially unauditable, and inflexible) or
virtual tokens using Intel SGX (IMO a vastly superior solution).

For this type of hardware-protected security, the performance
considerations will be almost exactly the same as for software crypto.

--Andy