[17559] in cryptography@c2.net mail archive
Re: Optimisation Considered Harmful
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Jun 24 11:39:13 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 24 Jun 2005 10:00:55 +0100
From: Ben Laurie <ben@algroup.co.uk>
To: Victor Duchovni <Victor.Duchovni@MorganStanley.com>
Cc: Jerrold Leichter <jerrold.leichter@smarts.com>,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <20050624052537.GV32127@piias899.ms.com>
Victor Duchovni wrote:
> On Thu, Jun 23, 2005 at 07:36:38AM -0400, Jerrold Leichter wrote:
>
>
>> - Develop algorithms that offer reasonable performance even if
>> implemented in "unoptimized" ways. This will be difficult
>> to maintain in the face of ever-increasing hardware optimiza-
>> tions that you can't just turn off by "not using -O".
>>
>> - Live with less performance and hope that raw hardware speeds will
>> catch up.
>>
>> - Use specialized hardware, designed not to leak side-channel
>> information.
>>
>> - ?
>
>
> - Find reasonably efficient masking strategies, that assume
> that side-channel attacks are here to stay, and randomly choose
> one of many isomorphic ways to perform the computation. The
> masking would have to eliminate key/data correlation from all
> "observables" other than the final output.
If it does that, why do you want to choose one of many? Surely a single
one will do?
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
