On Mon, Jun 29, 2015 at 9:36 AM, Johannes Merkle <[email protected]> wrote: > > Trevor Perrin schrieb am 26.06.2015 um 01:35: >> >> Are there cases where separate standards for asymmetric crypto for HW >> vs SW was a good idea? [...] > > I don't think there is (other) precedence for such a separation in the > standards. Which doesn't mean that it isn't a > good idea if the requirements differ considerably.
I'm not convinced yet that HW and SW requirements do differ considerably. > Of course, in theory, hardware can also be optimized for special primes. > However, its one thing to implement a > specialized multiplier as a prototype but a very different thing to developed > this as a product. I talked about that > with the guys from Infineon and NXP. They say that they have to maintain > hardware implementations for general primes > anyway, e.g. for RSA. Their implementations are not replaced with new > versions but continuously evolving, going back to > the very first implementations in the early 90s. For them, developing a new > multiplier from scratch and maintaining it > as a second product is a complete no-go as this would imply tremendous > additional costs. You have to take into account > that they have to certify their chips according to CC EAL4+ or higher which > is a very lengthly and expensive process. > (Additional certifications are required for the smart card operating system > and crypto applications based on the chip.) > Costs and resources for product management would also double. OK, so some people won't implement special multipliers in HW. For 25519 they wouldn't get the ~2x speedup due to special primes that optimized implementations get. If they use a particular blinding countermeasure they'll take ~1.2x slowdown due to larger blinding factor, but won't that be balanced out by the faster Edwards curve equations? Assuming so, then even with a generic multiplier Curve25519 is going to be about the same speed as Brainpool curves (and perhaps faster than P-256? What size blinding factor does P-256 need?). I guess you'd rather have a different curve that's ~1.2x faster on this existing HW without the opportunity for 2x optimization elsewhere? That seems like trading off a large benefit for a much smaller one, and not worth multiplying standards for. Trevor _______________________________________________ Curves mailing list [email protected] https://moderncrypto.org/mailman/listinfo/curves
