[Cryptech Core] auto-zeroise and complex use cases

Rob Austein sra at hactrn.net
Thu Dec 13 14:43:13 UTC 2018

Previous message (by thread): [Cryptech Core] auto-zeroise and complex use cases
Next message (by thread): [Cryptech Core] auto-zeroise and complex use cases
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 13 Dec 2018 05:07:18 -0500, Joachim Strömbergson wrote:
...
> After implementing the auto-zeroise functionality in keywrap, I started
> thinking that it would be better to move the functionality into the AES
> core itself. keywrap would be simpler, and other AES use cases would
> benefit automatically.
> 
> However Rob stated that he saw problems with this, that there might be
> complex use cases for which the auto-zeroise could be a problem. I've
> tried to come up with use cases where this would be a problem. Things
> like use cases where new AES operations are done rarely over long spans
> of time (many seconds to minutes, hours). But since the timeout can be
> set by SW and that SW can keep the loaded key alive indefinitely by
> periodically checking status, this type of use case should be possible
> to support also.
> 
> So, Rob, can you explain what problems you saw and for which use cases?

Um, what I think I said was that I'm sure we want auto-zeroing when
using the keywrap core, but that I'm not sure we've thought through
other uses of the AES core well enough to really know yet whether this
a good idea in the general case.  I also explicitly stated that this
was an initial gut reaction rather than a considered opinion.

We haven't yet done anything with even the simple non-ECB modes, much
less complex ones like GCM or CCM.  Auto-zeroing is *probably*
harmless in such modes, but once we start talking about doing these
modes in Verilog I suspect things might get complex, at which point we
might wish that the AES core itself was just the simplest possible
building block.

At some level it feels like auto-zeroing is something that belongs on
the user-interface edge of a core, not deep in the guts of a core used
as one component of more complex cores.  That's really more your field
of expertise than mine, so I'll defer if you're sure this will always
be harmless, but I would like folks to at least think about it a bit
before rushing to a decision that doesn't need to be made in haste.

Previous message (by thread): [Cryptech Core] auto-zeroise and complex use cases
Next message (by thread): [Cryptech Core] auto-zeroise and complex use cases
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Core mailing list