[curves] Twist security for elliptic curves

Trevor Perrin trevp at trevp.net
Mon Jul 6 22:52:57 PDT 2015

On Mon, Jun 29, 2015 at 9:36 AM, Johannes Merkle
<johannes.merkle at secunet.com> wrote:
> Trevor Perrin schrieb am 26.06.2015 um 01:35:
>> Are there cases where separate standards for asymmetric crypto for HW
>> vs SW was a good idea?
> I don't think there is (other) precedence for such a separation in the standards. Which doesn't mean that it isn't a
> good idea if the requirements differ considerably.

I'm not convinced yet that HW and SW requirements do differ considerably.

> Of course, in theory, hardware can also be optimized for special primes. However, its one thing to implement a
> specialized multiplier as a prototype but a very different thing to developed this as a product. I talked about that
> with the guys from Infineon and NXP. They say that they have to maintain hardware implementations for general primes
> anyway, e.g. for RSA. Their implementations are not replaced with new versions but continuously evolving, going back to
> the very first implementations in the early 90s. For them, developing a new multiplier from scratch and maintaining it
> as a second product is a complete no-go as this would imply tremendous additional costs. You have to take into account
> that they have to certify their chips according to CC EAL4+ or higher which is a very lengthly and expensive process.
> (Additional certifications are required for the smart card operating system and crypto applications based on the chip.)
> Costs and resources for product management would also double.

OK, so some people won't implement special multipliers in HW.  For
25519 they wouldn't get the ~2x speedup due to special primes that
optimized implementations get.  If they use a particular blinding
countermeasure they'll take ~1.2x slowdown due to larger blinding
factor, but won't that be balanced out by the faster Edwards curve

Assuming so, then even with a generic multiplier Curve25519 is going
to be about the same speed as Brainpool curves (and perhaps faster
than P-256?  What size blinding factor does P-256 need?).

I guess you'd rather have a different curve that's ~1.2x faster on
this existing HW without the  opportunity for 2x optimization
elsewhere?  That seems like trading off a large benefit for a much
smaller one, and not worth multiplying standards for.


More information about the Curves mailing list