Crypto hardware summary

Sun Oct 1 18:54:35 PDT 1995

[A summary of my points on crypto hardware follows my response
to Norm.]

Norm Hardy writes:
>What key length are you using that takes 3.2 sec?
>The DSP can operate concurrently with other processing, giving an
>improvement greater than 3.2/1.9.

I'm aware of this -- I was using Tim's pessimistic estimate
of improvement... to make it clearer for those who didn't read
his post, I should have said, "Even if the reduction is only from
3.2 seconds to 1.9 seconds, it would be significant for someone
running a server." I'm aware that with  DSPs you can get rather
better results; an ASIC will get you another order of magnitude
over DSPs (assuming equivalent price -- the Moto 96K DSP is a real
gem for bignum math but is many times more expensive than an
equally effective ASIC. They were also having serious availability
problems last year...)

Here is a summary of my points on this subject to date, for those
who haven't been following this discussion:

  o Using coprocessors of any sort to achieve speed in cryptography
    operations is probably not justified for end users; it is almost
    always justified for servers with a high volume of transactions
    requiring public key authentication or encryption.

  o DSPs are not really as attractive as general purpose CPUs for
    accelerating cryptography for high-volume servers. Although DSP
    architecture is somewhat more conducive to bignum math, the benefits
    seem to be offset by the wide availability of standard CPUs and
    tools for programming them. If a large increase in speed is desired
    without resorting to single-purpose hardware, I recommend using
    a large number of standard CPUs as coprocessors, rather than an
    equivalent approach with DSPs. (The fact that uint multiplies
    on a 486 take multiple clock cycles is offset by the higher
    internal clock speeds and lower cost of the 486. You can point out
    super-fast DPSs, and I can point out their super-large price tags,
    more expensive tools, and substantially more expensive programmers.)

  o The real way to go for speed is ASICs, which give you much better
    bang for the buck, although they have disadvantages, including
    problems of export, inflexibility, etc. My favorite RSA chip board
    so far is from Uti-Maco in Belgium, which is a tamper-resistant
    add-in card with a 8086-compatible controller and a custom BIOS
    for doing RSA and DES operations in h/w, which allows s/w to be
    developed using standard tools. (I have ranted at length about the
    complications involved with _Beligan_ crypto export controls,
    which seem to stem from NATO pressure and US desire to balkanize
    the market for cryptography products.)

  o People doing valuable transactions on servers are going to want
    tamper resistance and hardware-key security. This is more important
    in some cases than speed, although speed is also very important.

  o People running cryptography-based transaction clients on their PCs are
    going to learn, one way or another, that having valuable secret keys
    on their hard disks is not a great idea. This, not speed, is the
    primary motivation for consumer-oriented cryptography hardware.
    People want their keys and financial transactions on secure, removable,
    non-mechanical media. Products that provide this are just starting
    to come on the market, notably from National Semiconductor and
    Telequip.

  o End-user software will need to be written to allow, but not require,
    external cryptography devices. Consequently, consumer software that
    performs valuable transactions still needs to be written in an
    extremely paranoid fashion with respect to the reliability and
    security of the underlying hardware.