Re: [Cfrg] Hardware requirements for elliptic curves

Ilari Liusvaara <> Mon, 15 September 2014 18:09 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0C7671A891C for <>; Mon, 15 Sep 2014 11:09:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4ypUhxCQ4Gs4 for <>; Mon, 15 Sep 2014 11:09:23 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1D9C61A892E for <>; Mon, 15 Sep 2014 10:26:40 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id 2E94E90132; Mon, 15 Sep 2014 20:26:38 +0300 (EEST)
Date: Mon, 15 Sep 2014 20:26:37 +0300
From: Ilari Liusvaara <>
To: "Lochter, Manfred" <>
Message-ID: <20140915172637.GA30420@LK-Perkele-VII>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Subject: Re: [Cfrg] Hardware requirements for elliptic curves
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Sep 2014 18:09:28 -0000

On Mon, Sep 15, 2014 at 05:43:19PM +0200, Lochter, Manfred wrote:
> __________ ursprüngliche Nachricht __________
> Von:		Alyssa Rowan <>
> > and the sheer cost-multiplication 
> > potential of a proposal to mandate the option of using
> > relatively-inefficient crypto near-universally across the web - including
> > at CDN scale!?
> What is your measure for inefficiency? Cost per Signature? Or time per 
> signature? Or something different? Relatively to what?

Both cost per signature and cost per verification of signature. Can fairly
easily be 2x cost.

And nobody wants that sort of cost, unless 1) Legally mandated to. 2) Having
to interoperate.

And nobody is proposing to remove the Brainpool codepoints from TLS. Special
servers that communicate with smartcards or whatever (most don't!) can
implement those.

Having to implement random curves would be RFC6919 "MUST (but we know you

> >
> > If your hardware is truly securely flexible, then you can adapt with no
> > trouble; if it's not flexible enough to securely work with efficient sparse
> > primes that also perform well in software, well, you probably need to
> > consider at least updating it so it is (how is it with the NIST "Solinas
> > primes"? Equally bad, one would have thought? Yet they're the most deployed
> > by far...).
> This is not a hardware question. Actually the problem is that curves over 
> special primes need more SCA countermesures. This is also true for software 
> running on a general purpose processor.

One problem here is that general purpose CPUs are hugely complex, so it is
very difficult to know how various operations affect side channels like EM
or PA. But withstanding software-only attacks (and that goes far beyond
global timing) is likely a huge help here.

And those software-only attacks are not jokes. Modern CPUs and OSes tend
to be extremely vulernable.

Special-purpose crypto chips can at least be designed at hardware level to
reduce SCA attacks (sometimes well, sometimes badly).