Optimisation Considered Harmful
Ben Laurie
ben at algroup.co.uk
Fri Jun 24 05:00:55 EDT 2005
Victor Duchovni wrote:
> On Thu, Jun 23, 2005 at 07:36:38AM -0400, Jerrold Leichter wrote:
>
>
>> - Develop algorithms that offer reasonable performance even if
>> implemented in "unoptimized" ways. This will be difficult
>> to maintain in the face of ever-increasing hardware optimiza-
>> tions that you can't just turn off by "not using -O".
>>
>> - Live with less performance and hope that raw hardware speeds will
>> catch up.
>>
>> - Use specialized hardware, designed not to leak side-channel
>> information.
>>
>> - ?
>
>
> - Find reasonably efficient masking strategies, that assume
> that side-channel attacks are here to stay, and randomly choose
> one of many isomorphic ways to perform the computation. The
> masking would have to eliminate key/data correlation from all
> "observables" other than the final output.
If it does that, why do you want to choose one of many? Surely a single
one will do?
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list