Den ons 17 jan. 2024 21:11D. J. Bernstein <d...@cr.yp.to> skrev: > > > if we manage to eliminate a significant (albeit not huge) > > amount of cycles through a careful security analysis that needs to be > > done once, I expect this to be helpful for adoption. > > I don't see how this argument survives quantification regarding the > hashes that we're talking about. Sending 1KB of ciphertext has roughly > the same dollar cost as 2 million CPU cycles; why would the application > care about a combiner spending 10000 or even 20000 cycles on hashing? >
This assumes performance requirements only comes from settings like datacenters, but this is also likely to eventually get used in embedded devices some of which may be battery powered. Consider NFC devices such as security keys (typically 1-10 mW, less than 100 Kbps, and few available cycles). >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
