Re: [Cfrg] ECC reboot

Andy Lutomirski <luto@amacapital.net> Thu, 23 October 2014 18:29 UTC

Return-Path: <luto@amacapital.net>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA9931A0262 for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 11:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Asklf_gRsa2i for <cfrg@ietfa.amsl.com>; Thu, 23 Oct 2014 11:29:55 -0700 (PDT)
Received: from mail-la0-f50.google.com (mail-la0-f50.google.com [209.85.215.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D11D1A1ABA for <cfrg@irtf.org>; Thu, 23 Oct 2014 11:29:55 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id s18so1369387lam.37 for <cfrg@irtf.org>; Thu, 23 Oct 2014 11:29:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=OrUXnV/Ee+XsBJEpMHwE8W2WwVNvF0HhdS02OHQ5THs=; b=Xmb14QPGSMOOgeHiSZqIMBPNJ03cRuuyGdT9gsuiHthpmowlOqp6/J3vDHbUdqrlWU daz0SGxbit68l1Xho1sW1P7qnbRN8yW4vy/yeuHRAuMjo2HfHhtfLUMOpUN0zJ0YKUdI KNGVWggVs+/nhJAnlIVfDfth9s+qkCTz0RYMPCfAO0cE1sDhUZstWqo3//0kgV3X+L3Y tmzm8GZfpjuUi3b6FruWOqOhy5oWrAQo7xRQbq8xm1eHp1sYwBNWFJ0x/HQp11qIL1RA TC6blEvVCsb068ah1jpoBygE38gTXrm4FVW/Oo9eXOEhcawNuxZBMlCyrTjevrGl/dZS bNRA==
X-Gm-Message-State: ALoCoQmTF1TOvSJWeiT3d6rbu3sMnaMnqXrxBYR3DUKjAAKojXj3X89Osmnd7Dhy/gA37EzIQaMX
X-Received: by 10.152.30.33 with SMTP id p1mr6879269lah.78.1414088542899; Thu, 23 Oct 2014 11:22:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.4.71 with HTTP; Thu, 23 Oct 2014 11:22:02 -0700 (PDT)
In-Reply-To: <CAMm+Lwi-X5_Bh-dwe54uzratLzpds=719F=hzpATCME4wDqxhA@mail.gmail.com>
References: <D065A817.30406%kenny.paterson@rhul.ac.uk> <54400E9F.5020905@akr.io> <CAMm+LwhVKBfcfrXUKmVXKsiAMRSTV+ws+u07grmxkfnR2oYJoQ@mail.gmail.com> <5218FD35-E00A-413F-ACCB-AA9B99DEF48B@shiftleft.org> <m3r3y6z3z8.fsf@carbon.jhcloos.org> <CA+Vbu7x4Y_=JZ9Ydp=U5QnJokL28QMQnV4XUn9S6+CUZR9ozEw@mail.gmail.com> <5444D89F.5080407@comodo.com> <90C609A5-ECB2-4FDC-9669-5830F3463D2B@akr.io> <5448DBE2.10107@comodo.com> <CACsn0cne95adtTbCf6WyAZGyCSyLXo5L0302rm7238yHAsE5EQ@mail.gmail.com> <54493DB1.5070204@akr.io> <CALCETrWjR4ROJJFBTo-zAVUg6t50ppm0O_fd=gf2tCr8-evDwg@mail.gmail.com> <CAMm+Lwi-X5_Bh-dwe54uzratLzpds=719F=hzpATCME4wDqxhA@mail.gmail.com>
From: Andy Lutomirski <luto@amacapital.net>
Date: Thu, 23 Oct 2014 11:22:02 -0700
Message-ID: <CALCETrVicR0hj3oi1xCwfG9Z0n0PpBsrCCW7AGBo_-tpxcq3Rw@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/of7yG8qjIAlVEFkQcZBrUXFz9bg
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] ECC reboot
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 18:29:57 -0000

On Thu, Oct 23, 2014 at 11:17 AM, Phillip Hallam-Baker
<phill@hallambaker.com> wrote:
>
>
> On Thu, Oct 23, 2014 at 1:49 PM, Andy Lutomirski <luto@amacapital.net>
> wrote:
>>
>> On Thu, Oct 23, 2014 at 10:41 AM, Alyssa Rowan <akr@akr.io> wrote:
>> >> How long do you think it would take to make an HSM that supports
>> >> our choice?
>> >
>> > Depends: from what I've seen a few HSMs are flexible enough to run
>> > whatever we choose. (I'll refrain from discussion of specific vendors:
>> > it is for them to speak up if they wish.)
>>
>> This seems like a good time to point out that Intel SGX is coming
>> soon.  With SGX, some performance-critical HSM applications could be
>> replaced with hardware-assisted secure *software* enclaves on
>> supported Intel chips.
>>
>> For this application, the relevant factors will be software speed
>> (because it's just x86 software), freedom from timing attacks, and
>> freedom from secrets being leaked in memory access patterns.
>>
>> Some users might require certification, but there will be no
>> additional hardware development effort whatsoever to add new curves.
>
>
> And the AVX-512 extensions provide 512 bit native registers.
>

I feel like you're arguing against a straw man here.  Unless I
misunderstand, the fastest implementations of 512-bit curves don't fit
in 512-bit registers either.

Ed448-goldilocks, on the other hand, might.  Mike?

> I don't think it very likely we can persuade any chip vendor to lay down
> extra signal lines for 521 bits and if they did a 1024 bit data path we
> would be looking at using all of it, not just 9 extra bits.

Wait, what?  Are you suggesting using primes closer to 1024 bits?
That seems even more excessive that 512 or 521 bits.

--Andy