[Cryptography] Best AES candidate brokenby the way that

[David Johnston]

On 7/5/15 1:19 PM, Krisztián Pintér wrote:
> to be fair, AES was intended to be implemented with lookup tables.
> granted, the original paper is a beautiful piece of math, but nobody
> ever envisioned those calculations to be ever implemented in any real
> life software. AES was created with the widespread implementation in
> mind.
>
> let's see this table:
>
>   nist p256 naive implementation      nist p256 timing resistant impl
>
>     AES literal implementation          AES intended implementation
>
> both algorithms have a modern, safe but slow implementation and a fast
> but vulnerable one. the fact that AES comes with a safe implementaton,
> so you don't have to work it out, is nice and all, but bears very
> minor practical relevance.
>
It seems that what is optimal for software speed of ECC is not optimal 
for side-channel mitigation in hardware ECC implementations. This is at 
the core of 'which curve to use' arguments I've been in recently.