[noise] Heresy: PSK-only Noise
Rhys Weatherley
rhys.weatherley at gmail.com
Thu Jun 7 23:46:06 PDT 2018
On Fri, Jun 8, 2018 at 3:14 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Thu, Jun 7, 2018 at 12:26 PM Rhys Weatherley <rhys.weatherley at gmail.com>
> wrote:
>
>> In the low end space, it is common for devices to lack sufficient memory
>> or CPU resources to implement DH functions like Curve25519. Symmetric
>> crypto and PSK's are fine, but DH is too resource-intensive. ARM devices
>> can usually handle it, but AVR devices no.
>>
>
> There are AVR-optimized implementations of X25519:
>
> https://eprint.iacr.org/2015/343.pdf
>
Which are still borderline for practical use. From the paper: 13900397
cycles. At the typical AVR Arduino CPU speed of 16 MHz, one curve
operation takes 0.869s.
XX requires 4 curve operations (assuming that the local static key pair is
precomputed). 3.476s at least to complete the handshake. IK is 5 curve
operations in 4.345s. NN has better performance with 2 curve operations =
1.738s, but now there's no identity checking.
And we haven't even mentioned memory usage: every byte of flash and RAM is
one less byte for the device to perform its core function that the user
wishes to secure.
Possible? Yes. Practical? Maybe not. I have enough trouble convincing
the newbies to use AEAD instead of ECB (yes, ECB!). An extra 2s to 5s for
the security of Diffie-Hellman is a tough ask.
Cheers,
Rhys.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20180608/6eab95c0/attachment.html>
More information about the Noise
mailing list