[Top] [All Lists]

Re: Next Steps

2007-11-07 07:59:56

Derek Atkins wrote:
nagydani(_at_)epointsystem(_dot_)org (Daniel A. Nagy) writes:

No, it is not. A single block operation takes almost half a second on
NOKIA 3410, which means that encrypting a simple text message takes seconds,
which is not nice from a user experience PoV.

Huh!  Are you sure you're using an AES implementation that's optimized
for your platform?  You can get an order-of-magnitude improvement by
optimizing the code (or running an assembler version).  Obviously there
are time/space tradeoffs to be made as well, but I find it hard to
believe that it takes 500ms for a single block operation even in an
optimized implementation.

Dani probably knows what he is doing. The mobile phone is a particularly difficult device, and unlike ordinary PC platforms, performance is a very big issue.

Also, the security model is somewhat different to the normal OpenPGP world. Dani's security model is more about transactional security and less about being able to crack the encryption. OpenPGP's security model derives from the 80s and early 90s when every radical in the world was fighting governments with acres of cryptocrunching big iron. Quite different worlds and quite different viewpoints.

(OK, I might know a little more than said here because I've talked to Dani at times about it, and there are lots of "gotchas". From my understanding of payment systems and the like, he doesn't need to guarantee 100% that the message is unreadable, because there are too many other end-node threats for that to be valuable.)

That said, it is a good question for the OpenPGP community: do we accept a weaker algorithm for edge cases? The answer is historically, "maybe," IMHO. We, as a community, have not moved aggressively in the past to repair every weakness, which indicates that our world of users is dominated by "good enough" not "perfect".

Long discussion....