[Cryptography] Gates are cheap. Should cipher design change?

Tony Arcieri bascule at gmail.com
Mon Mar 28 21:01:49 EDT 2016


On Mon, Mar 28, 2016 at 8:00 AM, Phillip Hallam-Baker <phill at hallambaker.com
> wrote:

> Today we have a very different situation. AES has found its way into
> many crypto suites as a set of instructions for executing a round. And
> that is to be expected in an era where one of the chief problem of CPU
> design is to find a useful way to spend the available gates.
>
> So now we have a cipher designed for efficient software implementation
> being migrated into the hardware. Which sounds like a big deal except
> that what is really happening is that the software has moved from
> executable code to microcode.


Did you just make the claim:

"So now we have a cipher designed for efficient software implementation
being migrated into the hardware."

...about AES?

This is patently untrue: AES was designed for efficient hardware
implementations, and implementing it *correctly* in software is incredibly
difficult:

https://cr.yp.to/mac/variability1.html

By contrast, other AES candidates like Serpent were designed with
techniques like bitslicing in mind, making them more amenable to software
implementations.

-- 
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160328/e509b6c1/attachment.html>


More information about the cryptography mailing list