[Cryptography] Gates are cheap. Should cipher design change?
Tony Arcieri
bascule at gmail.com
Mon Mar 28 21:01:49 EDT 2016
On Mon, Mar 28, 2016 at 8:00 AM, Phillip Hallam-Baker <phill at hallambaker.com
> wrote:
> Today we have a very different situation. AES has found its way into
> many crypto suites as a set of instructions for executing a round. And
> that is to be expected in an era where one of the chief problem of CPU
> design is to find a useful way to spend the available gates.
>
> So now we have a cipher designed for efficient software implementation
> being migrated into the hardware. Which sounds like a big deal except
> that what is really happening is that the software has moved from
> executable code to microcode.
Did you just make the claim:
"So now we have a cipher designed for efficient software implementation
being migrated into the hardware."
...about AES?
This is patently untrue: AES was designed for efficient hardware
implementations, and implementing it *correctly* in software is incredibly
difficult:
https://cr.yp.to/mac/variability1.html
By contrast, other AES candidates like Serpent were designed with
techniques like bitslicing in mind, making them more amenable to software
implementations.
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160328/e509b6c1/attachment.html>
More information about the cryptography
mailing list