[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Crypto hardware summary
[A summary of my points on crypto hardware follows my response
to Norm.]
Norm Hardy writes:
>What key length are you using that takes 3.2 sec?
>The DSP can operate concurrently with other processing, giving an
>improvement greater than 3.2/1.9.
I'm aware of this -- I was using Tim's pessimistic estimate
of improvement... to make it clearer for those who didn't read
his post, I should have said, "Even if the reduction is only from
3.2 seconds to 1.9 seconds, it would be significant for someone
running a server." I'm aware that with DSPs you can get rather
better results; an ASIC will get you another order of magnitude
over DSPs (assuming equivalent price -- the Moto 96K DSP is a real
gem for bignum math but is many times more expensive than an
equally effective ASIC. They were also having serious availability
problems last year...)
Here is a summary of my points on this subject to date, for those
who haven't been following this discussion:
o Using coprocessors of any sort to achieve speed in cryptography
operations is probably not justified for end users; it is almost
always justified for servers with a high volume of transactions
requiring public key authentication or encryption.
o DSPs are not really as attractive as general purpose CPUs for
accelerating cryptography for high-volume servers. Although DSP
architecture is somewhat more conducive to bignum math, the benefits
seem to be offset by the wide availability of standard CPUs and
tools for programming them. If a large increase in speed is desired
without resorting to single-purpose hardware, I recommend using
a large number of standard CPUs as coprocessors, rather than an
equivalent approach with DSPs. (The fact that uint multiplies
on a 486 take multiple clock cycles is offset by the higher
internal clock speeds and lower cost of the 486. You can point out
super-fast DPSs, and I can point out their super-large price tags,
more expensive tools, and substantially more expensive programmers.)
o The real way to go for speed is ASICs, which give you much better
bang for the buck, although they have disadvantages, including
problems of export, inflexibility, etc. My favorite RSA chip board
so far is from Uti-Maco in Belgium, which is a tamper-resistant
add-in card with a 8086-compatible controller and a custom BIOS
for doing RSA and DES operations in h/w, which allows s/w to be
developed using standard tools. (I have ranted at length about the
complications involved with _Beligan_ crypto export controls,
which seem to stem from NATO pressure and US desire to balkanize
the market for cryptography products.)
o People doing valuable transactions on servers are going to want
tamper resistance and hardware-key security. This is more important
in some cases than speed, although speed is also very important.
o People running cryptography-based transaction clients on their PCs are
going to learn, one way or another, that having valuable secret keys
on their hard disks is not a great idea. This, not speed, is the
primary motivation for consumer-oriented cryptography hardware.
People want their keys and financial transactions on secure, removable,
non-mechanical media. Products that provide this are just starting
to come on the market, notably from National Semiconductor and
Telequip.
o End-user software will need to be written to allow, but not require,
external cryptography devices. Consequently, consumer software that
performs valuable transactions still needs to be written in an
extremely paranoid fashion with respect to the reliability and
security of the underlying hardware.