IETF Logo Mail Archive

Re: [TLS] Using Brainpool curves in TLS

Watson Ladd <watsonbladd@gmail.com> Wed, 16 October 2013 01:40 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39C7821F9A1C for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 18:40:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dqf1V9x2jesy for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 18:40:58 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) by ietfa.amsl.com (Postfix) with ESMTP id C16FB11E80F8 for <tls@ietf.org>; Tue, 15 Oct 2013 18:40:50 -0700 (PDT)
Received: by mail-wi0-f171.google.com with SMTP id h11so1695338wiv.16 for <tls@ietf.org>; Tue, 15 Oct 2013 18:40:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4BwkIGHhFtkADSeIlkLDWA4GGtLqjbBVBCbx4kDQ3vU=; b=l0t5xqU9HQ9GM6HYwwV2H72Ue5ioxHBwrRIs6r6I8z4B5/E9msge+syb73d9b/WmcY X52R072so57ypsY2WYRuxxrP1wR5ivnHUbF9lxAz64M8g2nRryZHkMaR57Za05XzsEqU A3ZE4OWEGleUIoxoa5HUuU9UFY5bznwES9SeDaMzfO1bRTcH1WyW+lJhQRQiNEUHYwm1 pnEsyWgLk5AD8UcJqNtBfA5gobZTQ09xnvra6wIBKZXZ1AsdZXaDjWqzPD1GtYb6gcCz Cz3o/9qfRSXJpX9ElmNZ0mIllQO+Zr253fe08QFw7HxxwJ5vTQp0GafeJX3mDX4xlwqq YLfQ==
MIME-Version: 1.0
X-Received: by 10.180.37.162 with SMTP id z2mr130290wij.58.1381887649681; Tue, 15 Oct 2013 18:40:49 -0700 (PDT)
Received: by 10.194.242.131 with HTTP; Tue, 15 Oct 2013 18:40:49 -0700 (PDT)
In-Reply-To: <CAK3OfOj6XVuuWCpwqz97QMKyMXensH4i5NT_hLF4pFMZc_s5SA@mail.gmail.com>
References: <525C11B5.2050604@secunet.com> <525CEFA4.2030903@funwithsoftware.org> <01b901cec9a0$004e12b0$00ea3810$@offspark.com> <CACsn0ckOnrQTOLdUo9gT8hbTx4cEqX9CP6=BRFYtpV1CpT7HXQ@mail.gmail.com> <CAK3OfOj6XVuuWCpwqz97QMKyMXensH4i5NT_hLF4pFMZc_s5SA@mail.gmail.com>
Date: Tue, 15 Oct 2013 18:40:49 -0700
Message-ID: <CACsn0cmifbEhRO+UvamRD7egj1MY8yMojOK3ZLLDcjZJquRwdQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="UTF-8"
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Using Brainpool curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2013 01:40:59 -0000

On Tue, Oct 15, 2013 at 9:12 AM, Nico Williams <nico@cryptonector.com> wrote:
> On Tue, Oct 15, 2013 at 10:49 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
>> The implementation in PolarSSL has a nonconstant pattern of memory
>> access. Seriously, it isn't 1999 anymore: everyone doing cryptography
>> should be aware of these issues.
>
> Indeed, constant-time operation is a very big deal.  A curve could be
> perfectly secure in the ECDLP sense and yet be utterly insecure due to
> side channels.  There are no standard curves that we can trust to be
> secure in both senses; DJB's curves are very likely secure enough in
> the ECDLP sense (certainly given current *public* research) and they
> are secure in the other sense; they are also quite fast.
Note Bena: Being safe against side channels is a property of the
implementation, not the curve.
DJB's implementations are constant time, and the curves have
properties that make it easier to be constant time,
but it is trivial to introduce backdoors into implementations of them.
> http://safecurves.cr.yp.to/
>
> Nico
> --



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email