[Cryptography] Best AES candidate brokenby the way that

Krisztián Pintér pinterkr at gmail.com
Mon Jul 6 14:16:55 EDT 2015

David Johnston (at Monday, July 6, 2015, 7:23:39 PM):
> It seems that what is optimal for software speed of ECC is not optimal
> for side-channel mitigation in hardware ECC implementations. This is at
> the core of 'which curve to use' arguments I've been in recently.

most definitely. now that we understand the problem, good crypto
primitives are designed in a way that the naive implementation is the
safe implementation. or at least it is easy to get it right, and it
isn't a huge compromise. that is the design philosophy behind salsa,
curve25519 or keccak, among others.

but aes is old, and nobody had a clue about side channels back then.
pity many people in the field still don't know about them.

More information about the cryptography mailing list