IETF Logo Mail Archive

Re: [TLS] Twist security for brainpoolp256r1

Oleg Gryb <oleg_gryb@yahoo.com> Sat, 15 November 2014 19:14 UTC

Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B7A21A1B96 for <tls@ietfa.amsl.com>; Sat, 15 Nov 2014 11:14:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.294
X-Spam-Level:
X-Spam-Status: No, score=-2.294 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5zqISVRL2d4N for <tls@ietfa.amsl.com>; Sat, 15 Nov 2014 11:14:40 -0800 (PST)
Received: from nm20.bullet.mail.bf1.yahoo.com (nm20.bullet.mail.bf1.yahoo.com [98.139.212.179]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 378D41A1B95 for <tls@ietf.org>; Sat, 15 Nov 2014 11:14:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1416078879; bh=igD1z182GMcq45tJpIUrIQe+3fLjiI6W7ElVQuMDUHo=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=Jg+lpg6YhoAa0ByW3uweIBtiT3cxJ99w6M6f04EYoNJNT4FmPpd8Yb2OkyPrCbxFardq7i75XmdLxY64ISjBG1Js2ekW7ZbE7yOZpuPVLkZdT4oowjjFNPhZXDhimjw3F0pLPkILYan3SrWpYhAGAE4nxqOx8CIdzrbBBpd8O7u4n9++u+4aY3gz1GSHqc8HqgyxX/aW7fHBo1jpTcdrvSQS7FEXNlaS+5B+72oDzmLNPVyVMnBe0QAXe5A4P3V3/jV7alE5emXpIkZyvbcP0oG5TQYA/c4m5haebMyANlxcnZxG/C2Vw+sxDNdr8jYlzPqwYkXYr0gojNeT8t0y+w==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=obF6Z7Cldd3f7ybnalb1mxd/WElcMMDjFrQnnoDI8pIbNmL3bPvcCgT7dggwaDMyq7IuWrOK3eDCh9K3xzsKQRcMpfO2ukPHWik2BZid6ZgsLQOJ7v2hzPcCr4nGCbTCR1GNaIqdUQN6+Z/WUWAX1s11dPoC1HPJGUUi9spe31/A5sgXhUkGxqZ/61bXr38kfMohzKXppNQwPbl86LlQrJkK2MWEKB4w5pyM0iaW8za7Aw2Ba1W8WsLrdMznIZQmLsiA7NtGWMtMRVUbdx36HjDusMLWQw8inQJa5RpdHjmnLwLrvDkYl+oIVaRXlQ0cU81dxoCDFNWiUX1oRFSAcQ==;
Received: from [66.196.81.173] by nm20.bullet.mail.bf1.yahoo.com with NNFMP; 15 Nov 2014 19:14:39 -0000
Received: from [98.139.212.247] by tm19.bullet.mail.bf1.yahoo.com with NNFMP; 15 Nov 2014 19:14:39 -0000
Received: from [127.0.0.1] by omp1056.mail.bf1.yahoo.com with NNFMP; 15 Nov 2014 19:14:39 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 392105.42811.bm@omp1056.mail.bf1.yahoo.com
X-YMail-OSG: EhcHHOgVM1kKtxadjeH7.OIanAf7bT0pOoiyKYteFXrZauLrWiU9sV6N3V9lnks Wq8_8_0n7kskmXmZkodcks9FM.8w0_LEZOIY.8DDPCe1jbe.mWVY7C08e.rRSOORpkEdMoO7B07T 7ZLXX3hmfXFddbQrdzFQlK2JGAPJJFrlWxlYLtMIL4PaR8__pwmquDcVe0DF7ji0zKeorwNFU2BS l4hcWPm3xeGNIQ77T5fNbehlxkQBPrQm.mNJyUBfsOI5rgC5fy9dcK0n7zuPiSUChV8nP0rx.yMb PduXlqll_SOLI1PYU2sQmTDKiUUmiom_6aj2rwf._JTK93T5QA7PwsbKmALIPA9uPvwsnDfauoAK WOTVDov1Ajh8u2SDw.o2pJDyMOJNqJXyG_UvHiOVD_CJSak00Hx48ZTTd4Z6tH2jJKV.hRjZy5Jo X9Iz7qER7.YT9pvPhn1OfGZ0xsPVOYKq_ER_YEUNKMMIIfZYrDsz4Onyr7DsyhHxeVes-
Received: by 66.196.81.117; Sat, 15 Nov 2014 19:14:38 +0000
Date: Sat, 15 Nov 2014 19:14:37 +0000
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: Alyssa Rowan <akr@akr.io>, Manuel Pégourié-Gonnard <mpg@polarssl.org>, Johannes Merkle <johannes.merkle@secunet.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <1583016284.927983.1416078877960.JavaMail.yahoo@jws10686.mail.bf1.yahoo.com>
In-Reply-To: <1034833904.885136.1416069040217.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com>
References: <1034833904.885136.1416069040217.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-7wUo7nVU06P2ezlxrveOnQJDRY
Subject: Re: [TLS] Twist security for brainpoolp256r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2014 19:14:42 -0000

----- Original Message -----
> From: Oleg Gryb <oleg_gryb@yahoo.com>
> To: Alyssa Rowan <akr@akr.io>; Oleg Gryb <oleg@gryb.info>; Manuel Pégourié-Gonnard <mpg@polarssl.org>; Johannes Merkle <johannes.merkle@secunet.com>; "tls@ietf.org" <tls@ietf.org>
> Cc: 
> Sent: Saturday, November 15, 2014 8:30 AM
> Subject: Re: [TLS] Twist security for brainpoolp256r1
> 
> 
> 
> 
> 
> ----- Original Message -----
>>  From: Alyssa Rowan <akr@akr.io>
>>  To: Oleg Gryb <oleg@gryb.info>; Oleg Gryb 
> <oleg_gryb@yahoo.com>; Manuel Pégourié-Gonnard <mpg@polarssl.org>; 
> Johannes Merkle <johannes.merkle@secunet.com>; "tls@ietf.org" 
> <tls@ietf.org>
>>  Cc: 
>>  Sent: Saturday, November 15, 2014 12:50 AM
>>  Subject: Re: [TLS] Twist security for brainpoolp256r1
> 
>> 
>>  No, you just don't have the optimisation turned on: that's using 
> the
>>  old unoptimised generic prime routine.
>> 
>>  If you're on 1.0.1, Configure/make depend/make it with flag
>>  enable-ec_nistp_64_gcc_128 (if you're on x86-64) to use the agl/Emilia
>>  Kasper optimised secp224r1/secp256r1/secp521r1 routines, because
>>  they're not on by default.
>> 
>>  Or try the 1.0.2 trunk for Intel's even faster AVX2 assembly routines.
>> 
>>  You will need to make sure it's using the correct library version.
>> 
>>  P256 can go at least twice as fast as that, and then some, and that
>>  should be about what you're seeing.
>> 
>>  Brainpool, unfortunately, just can't go that fast; the pseudo-random
>>  primes don't have a structure which allows optimisation. But if a
>>  generic multiplier is OK for your performance needs (like you're using
>>  here, or if you have hardware which can do it well), Brainpool will be
>>  okay.
>> 
> 
> 
> Thanks, it's very helpful and I'll try. Judging from multiple Linux 
> forums it's recommended and its estimated speed increases is 2x for ECDHE, 
> less so for ECDSA though. I'm wondering why no-ec_nistp_64_gcc_128 is still 
> a default. Are there any indications that either multiplier algorithm or its 
> openssl implementation are error prone?

> 


Yet another thought that I believe, I've seen somewhere in a an EC discussion. If there is a shortcut that allows simplifying EC arithmetic significantly, doesn't it mean that an attacker might be in a very good position to eventually find a way of decreasing a cost of attack significantly as well?

I understand that this is just a "common sense" argument, but I think that it correlates well with EC's "spectral weakness" discussed by Dan Brown, DJB and others here: 
http://www.ietf.org/mail-archive/web/tls/current/msg10169.html

v2.23.0 | Report a Bug | By Email