Re: [TLS] Using Brainpool curves in TLS

Nico Williams <nico@cryptonector.com> Tue, 15 October 2013 16:12 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D652111E818A for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 09:12:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.119
X-Spam-Level:
X-Spam-Status: No, score=-2.119 tagged_above=-999 required=5 tests=[AWL=-0.142, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k3YTCSi3ca36 for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 09:12:42 -0700 (PDT)
Received: from homiemail-a70.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by ietfa.amsl.com (Postfix) with ESMTP id 6D2B511E814D for <tls@ietf.org>; Tue, 15 Oct 2013 09:12:42 -0700 (PDT)
Received: from homiemail-a70.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTP id CB8EE76805C for <tls@ietf.org>; Tue, 15 Oct 2013 09:12:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=TcW445A+7aey43nb904O iNBe4tw=; b=uLJmZjZBGKiJJO+U22KwcGD3ZhYG4r5dpuPiP+uCam/zhzQtwkJw gCSKNM7UmLeSr5VwpLSMdT8GYtktmuWb6HKnmjWsn2rvcJV7VkwmDUmo1bFnAJgZ yVo1nHnWxhiKejzveKr2oTV1nL9AnGQI+0TnG5ZYI5HqbuFl6fwYOus=
Received: from mail-wg0-f53.google.com (mail-wg0-f53.google.com [74.125.82.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a70.g.dreamhost.com (Postfix) with ESMTPSA id 71E27768059 for <tls@ietf.org>; Tue, 15 Oct 2013 09:12:40 -0700 (PDT)
Received: by mail-wg0-f53.google.com with SMTP id y10so6321462wgg.8 for <tls@ietf.org>; Tue, 15 Oct 2013 09:12:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2Welpl25Jma7KcThytdocMv+J7V75/2EbSHz56EN22I=; b=j+AAZgrOp6NAYMG40a8unUtEhPOv03/ZHhEM+UGwIEM5KRB8pDGHDV1lnCcOZ5WSsb B2yUL/wIlQpGLjFghor59D3dACQ0A3tLqp9xfTZUILaKJ9aRPuOapHJZgwe7SRN8s9bG N6xEhz/NPU0plCMKjDfY9uHjZFdiuR1RfaX3y3gQqfviTATTvPMbnJEzQfX6mQY17tJD pk5YhQOWREO/3ofRyrpxgBn8sSA7C4s/ewoRHmtNnOmrSfA6tLoqmqZld/MzKYXfGGC/ 5sF1E9nk7Aw8zhRYKO+rNohW9XrSJM2AWpt3z3bio4ymeuJBxxwXHEHpoTyDe/8bQNgc ihWQ==
MIME-Version: 1.0
X-Received: by 10.180.182.82 with SMTP id ec18mr20141090wic.13.1381853559064; Tue, 15 Oct 2013 09:12:39 -0700 (PDT)
Received: by 10.216.151.136 with HTTP; Tue, 15 Oct 2013 09:12:39 -0700 (PDT)
In-Reply-To: <CACsn0ckOnrQTOLdUo9gT8hbTx4cEqX9CP6=BRFYtpV1CpT7HXQ@mail.gmail.com>
References: <525C11B5.2050604@secunet.com> <525CEFA4.2030903@funwithsoftware.org> <01b901cec9a0$004e12b0$00ea3810$@offspark.com> <CACsn0ckOnrQTOLdUo9gT8hbTx4cEqX9CP6=BRFYtpV1CpT7HXQ@mail.gmail.com>
Date: Tue, 15 Oct 2013 11:12:39 -0500
Message-ID: <CAK3OfOj6XVuuWCpwqz97QMKyMXensH4i5NT_hLF4pFMZc_s5SA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=UTF-8
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Using Brainpool curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2013 16:12:47 -0000

On Tue, Oct 15, 2013 at 10:49 AM, Watson Ladd <watsonbladd@gmail.com>; wrote:
> The implementation in PolarSSL has a nonconstant pattern of memory
> access. Seriously, it isn't 1999 anymore: everyone doing cryptography
> should be aware of these issues.

Indeed, constant-time operation is a very big deal.  A curve could be
perfectly secure in the ECDLP sense and yet be utterly insecure due to
side channels.  There are no standard curves that we can trust to be
secure in both senses; DJB's curves are very likely secure enough in
the ECDLP sense (certainly given current *public* research) and they
are secure in the other sense; they are also quite fast.
http://safecurves.cr.yp.to/

Nico
--