Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
Alyssa Rowan <akr@akr.io> Sat, 28 June 2014 17:30 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B56141A0384 for <tls@ietfa.amsl.com>; Sat, 28 Jun 2014 10:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Level:
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXCBrxk5qJBZ for <tls@ietfa.amsl.com>; Sat, 28 Jun 2014 10:30:52 -0700 (PDT)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA7111A0382 for <tls@ietf.org>; Sat, 28 Jun 2014 10:30:52 -0700 (PDT)
Message-ID: <53AEFBC5.4000605@akr.io>
Date: Sat, 28 Jun 2014 18:30:45 +0100
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: tls@ietf.org
References: <53AEF428.3010302@cs.bris.ac.uk> <CACsn0ck9Y-pLcMaaZAb8k+i7YOO2hj0FR-hG63Mio63sMtu7KA@mail.gmail.com>
In-Reply-To: <CACsn0ck9Y-pLcMaaZAb8k+i7YOO2hj0FR-hG63Mio63sMtu7KA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-XSuqoQG6v_QZ7U951knMQMIkIo
Subject: Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jun 2014 17:30:54 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 28/06/2014 18:01, Watson Ladd wrote: >> See our recent side channel attacks on EC-DSA with the >> Eurovision > Simple solution: write constant time software. The principal of > side channel attacks being established, one simply eliminates them > all. And, of course, it would be remiss of me not to point out that all the good Curve25519 implementations are both fast and constant-time, the curve having been specified with the constant-time Montgomery ladder in mind in the first place. This is actually an area where 25519 wins big. (It should also be pointed out that constant-time over Weierstrass curves is possible, with enough care; see Langley/Möller/Kasper's implementation contributed to OpenSSL. I have yet to see any implementation capable of doing such a feat with arbitrary curves.) As far as code quality and reuse is concerned, what we've learned from things like Heartbleed I think is that "many eyes make bugs shallow" is only true when the eyes actually _look_ at the code. I don't think monoculture is to blame (we could just as easily have 10 bad implementations as 1), just complacency and a lack of sufficient auditing. I'd be much happier with a few implementations that everyone looks at very closely than many which aren't as well-audited. - -- /akr -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTrvvFAAoJEOyEjtkWi2t6rxoQAKVeCkxlYZz/s5Ji1mI/s43c tPYVHycIbZkEEpLerpQpZk6XlBPgTiAwgEcBQd3P/MlZWi6N7XdvSap1WBG7S1U4 2uJyTJXlOEqZX/VJFSFX3zO/gLm+xhmanN7uoGfOoy+nf1szMbXDAJo+lmosFNzd MPGHYNI51b5dlcNQ7jYg/kUkMT5H14Wnm5EMTYsbM0iUV0hZ90lLKXvAZJh6pt8m hLFH/XDCF8KdfWFcEb/uAnYqMivxPSUl5IN87OTn4911CHIN90g8cWykXxqsXSJf bdC9fwAR4SCpCynm6MODhZlWJbteXA6gIRGZ/ynnjgcbhOE+7IYaaMuavExZQOB7 gNP3s6pcXe3xU19XIQbWTAtmXUkIBF6c0CI9PYiQFCUZDZpGx1aY4BBw0A08PYDs kkO8HA/NzhwVZU9pzF1HDaxuvfzkh7P4DVtUXNdOYPeefzOVt0ViwoGCxyaoPuZq idCEL6Ia3bZCa1OdTbOpRi/GA7T8NEZG6Wu8mL1UsY2FmfsYJgKSfpzIWa0FyGHr bg8rIPpS6HG4XXusDH2WINR6fCXYnbTKhKehXBUjnh6x6ccrGcHPX3S6kTRmISi8 tvQ+la8+ykMaDKfvEHmlTZmjl1ug4jlhwrAa62Wnz3/dkMF41PpcAHWGSnUdByFO iBpyxqrJoMGf/OhFwBka =fRNi -----END PGP SIGNATURE-----
- [TLS] On Curve25519 and other possibilities (e.g.… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] On Curve25519 and other possibilities (… Hanno Böck
- Re: [TLS] On Curve25519 and other possibilities (… Martin Thomson
- Re: [TLS] On Curve25519 and other possibilities (… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] On Curve25519 and other possibilities (… Adam Langley
- Re: [TLS] On Curve25519 and other possibilities (… Viktor Dukhovni
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On Curve25519 and other possibilities (… Peter Gutmann
- Re: [TLS] On Curve25519 and other possibilities (… Peter Gutmann
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Viktor Dukhovni
- Re: [TLS] On Curve25519 and other possibilities (… Alyssa Rowan
- [TLS] Hardware Implementations .. Re: On Curve255… Hannes Tschofenig
- Re: [TLS] Hardware Implementations .. Re: On Curv… Joachim Strömbergson
- Re: [TLS] On Curve25519 and other possibilities (… Paul Hoffman
- Re: [TLS] Hardware Implementations .. Re: On Curv… Hannes Tschofenig
- Re: [TLS] On Curve25519 and other possibilities (… Stephen Farrell
- Re: [TLS] On Curve25519 and other possibilities (… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Nigel Smart
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Alyssa Rowan
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] On Curve25519 and other possibilities (… Dan Brown
- Re: [TLS] On Curve25519 and other possibilities (… Stephen Farrell
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Eric Rescorla
- Re: [TLS] Off-topic: RC4 Peter Yee
- [TLS] On counting Paul Hoffman
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On counting Adam Caudill
- [TLS] Off-topic: RC4 Paul Hoffman
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Salz, Rich
- Re: [TLS] On Curve25519 and other possibilities (… Nigel Smart
- Re: [TLS] On Curve25519 standardization Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Michael StJohns
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Fedor Brunner
- Re: [TLS] On Curve25519 and other possibilities (… Peter Gutmann
- Re: [TLS] On Curve25519 and other possibilities (… Johannes Merkle
- Re: [TLS] On Curve25519 and other possibilities (… Watson Ladd
- Re: [TLS] On Curve25519 and other possibilities (… Andrey Jivsov
- Re: [TLS] On Curve25519 and other possibilities (… Johannes Merkle
- Re: [TLS] On Curve25519 and other possibilities (… Alyssa Rowan
- Re: [TLS] On Curve25519 and other possibilities (… Johannes Merkle
- Re: [TLS] On Curve25519 and other possibilities (… Blumenthal, Uri - 0668 - MITLL