"Steven M. Bellovin" <s...@cs.columbia.edu> writes: > On 31 Aug 2016, at 10:17, Derek Atkins wrote: > >> "Steven M. Bellovin" <s...@cs.columbia.edu> writes: >> >>> Yes. To a large extent, the "IoT devices are too puny for real >>> crypto" is a hangover from several years ago. It was once true; for >>> the most part, it isn't today, but people haven't flushed their cache >>> from the old received wisdom. >> >> This is certainly true for AES, mostly because many small chips are >> including AES accelerators in hardware. It's not quite true for public >> key solutions; there are still very small devices where even ECC takes >> too long (and yes, there are cases where 200-400ms is still too long). >> > Certainly plausible. What I'm saying is (a) don't assert, measure; and > (b) measure again next year because tech keeps improving. > > As for your specific points: if AES is indeed feasible, we don't need > new ciphers.
It is feasible in many cases. It may not be feasible in all cases. > If elliptic curve is too slow, the only answer is architectures > that don't use public key at all; we're not going to find new, cheaper > public key algorithms without a *lot* of effort and the people who can > do that sort of thing are too busy working on post-quantum crypto. Nothing says these two aren't the same problem ;) > The remaining approach is a cheaper protocol than TLS. That shouldn't > be hard at all, especially if we're going back to KDCs. True. > --Steve Bellovin, https://www.cs.columbia.edu/~smb -derek -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
