Re: [Cfrg] Side channel attack and Edwards curves...

Tony Arcieri <bascule@gmail.com> Wed, 05 July 2017 23:29 UTC

MIME-Version: 1.0
In-Reply-To: <CAMm+LwiKUJSOEZefABwwkF8H_p+_WTZNGzzrezjCncVZzLd_dA@mail.gmail.com>
References: <CAMm+LwiDbjq7nENzvqKGmsQnz=y49nBSVhU0boddtbz3dJAHfw@mail.gmail.com> <CAHOTMVLyB6+r6XX3z5ifi7Ey7Qpi1uiZDLsGREsWhgxjqotPxQ@mail.gmail.com> <CAMm+LwiKUJSOEZefABwwkF8H_p+_WTZNGzzrezjCncVZzLd_dA@mail.gmail.com>
From: Tony Arcieri <bascule@gmail.com>
Date: Wed, 05 Jul 2017 16:29:00 -0700
Message-ID: <CAHOTMVK8J5YRD0t516mn1twVq2d-z+h6smxYxL1EOW0yy_Xtzw@mail.gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a114bc35aa3949105539a5e5d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/Bt6ct3IziYJ_7byeREvb153wXzc>
Subject: Re: [Cfrg] Side channel attack and Edwards curves...
Precedence: list

On Wed, Jul 5, 2017 at 4:16 PM, Phillip Hallam-Baker <phill@hallambaker.com>
wrote:

> You can blind in either. But if you are going to blind then a lot of the
> advantages of Montgomery start to collapse. because you have to do that add
> stage.
>

Ephemeral Montgomery keys, of the sort used by TLS ECDHE, are another
example of a use case which (if proper deployment procedures are followed)
shouldn't be vulnerable to this sort of attack.

I would agree that for long-term static keys, for this and other reasons
perhaps Edwards would be preferable.

-- 
Tony Arcieri

[Cfrg] Side channel attack and Edwards curves... Phillip Hallam-Baker
Re: [Cfrg] Side channel attack and Edwards curves… Taylor R Campbell
Re: [Cfrg] Side channel attack and Edwards curves… Tony Arcieri
Re: [Cfrg] Side channel attack and Edwards curves… Phillip Hallam-Baker
Re: [Cfrg] Side channel attack and Edwards curves… Phillip Hallam-Baker
Re: [Cfrg] Side channel attack and Edwards curves… Tony Arcieri
Re: [Cfrg] Side channel attack and Edwards curves… Tony Arcieri
Re: [Cfrg] Side channel attack and Edwards curves… Samuel Neves
Re: [Cfrg] Side channel attack and Edwards curves… David Jacobson
Re: [Cfrg] Side channel attack and Edwards curves… Scott Fluhrer (sfluhrer)