<br><br>On Friday, September 11, 2015, Joachim Strömbergson <<a href="mailto:joachim@secworks.se">joachim@secworks.se</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br> Hash: SHA256<br> <br> Aloha!<br> <br> FYI: I stumbled upon some interesting EC-benchmarks on different ARM MCU<br> architectures (M0 -> M4). Some of them are basically the same as the one<br> we are targeting on the Alpha board (albeit with lower clock freq).<br> <br> <a href="https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf" target="_blank">https://www.ietf.org/proceedings/92/slides/slides-92-lwig-3.pdf</a><br> <br></blockquote><div><br></div><div><br></div><div>Huh, so I haven't thought this through fully, but if we have the same performance in the CPU, perhaps it makes sense to do some of the operations there *as well*, and compare the results? I'm thinking things that don't touch secret keys, and we compare the outputs of the FPGA and CPU, and this all sorts of alerts if they differ. This may help counter fault injection attacks and help provide additional faith in our implementation as well...</div><div><br></div><div>Or, the added complexity may make things much more fragile and this may be a bad idea... </div><div>?</div><div>W<span></span></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> There some weirdness in the preso. The performance from the same SW as<br> measuered on the same architecture (but chips from different chips)<br> differs closer to 2x with the difference in clock speed. But there are<br> quite a lot of good stuff in the preso.<br> <br> And yes, Curve25519 is waay faster. The Donna implementation is what<br> I've used on a Cortex-M0.<br> - --<br> Med vänlig hälsning, Yours<br> <br> Joachim Strömbergson - Alltid i harmonisk svängning.<br> ========================================================================<br> Joachim Strömbergson Secworks AB <a href="javascript:;" onclick="_e(event, 'cvml', 'joachim@secworks.se')">joachim@secworks.se</a><br> ========================================================================<br> -----BEGIN PGP SIGNATURE-----<br> Version: GnuPG/MacGPG2 v2<br> Comment: GPGTools - <a href="http://gpgtools.org" target="_blank">http://gpgtools.org</a><br> Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br> <br> iQIcBAEBCAAGBQJV8n+7AAoJEF3cfFQkIuyNxpYP/j7vWaa4YaVjdr3VQ3UazmDq<br> k2+PplFoJ+f8Wuhkli+7EnmK85fcMWs7WaDZW4JvaM8ewSPB+54M3Xo4v+Mmmu1k<br> HBYJDgG78jgAcDJCZB8JC5NLPDHcYis6aOWHCzyfLAOqlJqWgCoiedJE1YH782Ra<br> 3j8OWkr3JDEUya9CkRTG3CR4iS5eTCrFyfUpHG8TYiwMD88c8uAOVc5kDMTrw/rX<br> Se1X6eV4yU4ApRWcDOKBR7pJNmZEXPC5pA9h9Pe1nwRa00IcDJ+CaQHdpbfGmzvw<br> phxT1ORs0eHbtaB1f49LyjnmHlAH9QkwRNmZ40gTmQ14g3EryqwUYegHSJ+w9yVS<br> Xfu44oejydgXG+pXMk5gafQJM23PPcXKk1BRSt9fGfhUPEW/VG3gIOcHhV68jzan<br> OpvR6bQfDCdV1ZlDqrglufvMKEBi/Ym+yEc6VxqRicQQvc30JTEZxbf2upvx2Lgu<br> D/GjfDjPu/pDFzEv9jjZSBx999N7/MVi0FLsnWKN0ccQwltthjPayD+rkt0b7593<br> /MWdHv8refUN59rTKwQL/xh0S3MqxikMqpWGr0nW/1HFHnvhod8SP3gehSriOJ+i<br> 0d/WpvTMd12WJ/CbNLy2bBB6AkeNsGljYbXSYcC+AoIXGuzXF8XV6CyEhajRr/is<br> iCMEIcX7++jJS/169APo<br> =DnJA<br> -----END PGP SIGNATURE-----<br> _______________________________________________<br> Tech mailing list<br> <a href="javascript:;" onclick="_e(event, 'cvml', 'Tech@cryptech.is')">Tech@cryptech.is</a><br> <a href="https://lists.cryptech.is/listinfo/tech" target="_blank">https://lists.cryptech.is/listinfo/tech</a><br> </blockquote><br><br>-- <br>I don't think the execution is relevant when it was obviously a bad idea in the first place.<br>This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants.<br> ---maf<br>