Re: [TLS] Using Brainpool curves in TLS

Nico Williams <nico@cryptonector.com> Wed, 16 October 2013 02:25 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F47B21F9D04 for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 19:25:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.982
X-Spam-Level:
X-Spam-Status: No, score=-1.982 tagged_above=-999 required=5 tests=[AWL=-0.005, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ivy8qOiZAnqr for <tls@ietfa.amsl.com>; Tue, 15 Oct 2013 19:25:15 -0700 (PDT)
Received: from homiemail-a28.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id 2F34B11E8209 for <tls@ietf.org>; Tue, 15 Oct 2013 19:25:11 -0700 (PDT)
Received: from homiemail-a28.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a28.g.dreamhost.com (Postfix) with ESMTP id CE1991B405F for <tls@ietf.org>; Tue, 15 Oct 2013 19:25:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=4hvM3H8ngWC9+Ydqw7Jc vi7UOnQ=; b=pH1ies1DjY+mrnOlPLYLBtuX7FdWh2Yoj2DQELm1/Wpj7HlgvG2q Wh6scW7fzJDh5RQhDuwAChPbCUmIztSDUFylo4ZZ4pExOADewLBkRtVo34DliEMe zQu2XxJFRnYSSmuevWV8FEzNelsm8l3QFluIDZpZX4gwG4Naq8Y8q48=
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a28.g.dreamhost.com (Postfix) with ESMTPSA id 7577B1B4059 for <tls@ietf.org>; Tue, 15 Oct 2013 19:25:09 -0700 (PDT)
Received: by mail-wi0-f177.google.com with SMTP id h11so109355wiv.4 for <tls@ietf.org>; Tue, 15 Oct 2013 19:25:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6lLOxwqO90mmjxY3/zGNH+X1cleFZZ2CN8/NO+RVMq8=; b=nLupx00njjkSQJ51lxLrrSlCHkpjQ2HCV0gikEsHYscsW4dZLHuFhVoSbcAOJmDWHB Ye351EHMu1AITCcM0vlp9RK8/mhGd3DLNsk7ia3MF3MWO9NJFr52ImPeyQsFQ44bA1Es o2yF6J4dZZX5kMBFWiWZSkfPkRQx3iuO/Dp+jgYY92nJPG8bSR6/UeZsel+adnMZ5NO0 vMH/FIFYrubyPH3d5OlL+O+nW64BbROaXA+M/Ke26PETYlvPF2v0jSEpXZtqH94ku3C9 lEX6objDifwaSTbZ/Pz9uuCFkK86Tg02IfVgFTSUoWs8iGYzPgTPwMAkSVRZWldmNAu+ AX6g==
MIME-Version: 1.0
X-Received: by 10.180.73.239 with SMTP id o15mr22052328wiv.36.1381890307929; Tue, 15 Oct 2013 19:25:07 -0700 (PDT)
Received: by 10.216.151.136 with HTTP; Tue, 15 Oct 2013 19:25:07 -0700 (PDT)
In-Reply-To: <CACsn0cmifbEhRO+UvamRD7egj1MY8yMojOK3ZLLDcjZJquRwdQ@mail.gmail.com>
References: <525C11B5.2050604@secunet.com> <525CEFA4.2030903@funwithsoftware.org> <01b901cec9a0$004e12b0$00ea3810$@offspark.com> <CACsn0ckOnrQTOLdUo9gT8hbTx4cEqX9CP6=BRFYtpV1CpT7HXQ@mail.gmail.com> <CAK3OfOj6XVuuWCpwqz97QMKyMXensH4i5NT_hLF4pFMZc_s5SA@mail.gmail.com> <CACsn0cmifbEhRO+UvamRD7egj1MY8yMojOK3ZLLDcjZJquRwdQ@mail.gmail.com>
Date: Tue, 15 Oct 2013 21:25:07 -0500
Message-ID: <CAK3OfOhDSeZChAyTUxGnvGWf4U2rV=GzJ=t_xJO_Gaycp=Rm8w@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Cc: Patrick Pelletier <code@funwithsoftware.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Using Brainpool curves in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Oct 2013 02:25:23 -0000

On Tue, Oct 15, 2013 at 8:40 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
> Note Bena: Being safe against side channels is a property of the
> implementation, not the curve.
> DJB's implementations are constant time, and the curves have
> properties that make it easier to be constant time,

That's what I was referring to, yes.

> but it is trivial to introduce backdoors into implementations of them.

Do you mean that it's easier to backdoor implementations of specific
EC curves than, say, RSA?  I would think that implementations of...
just about anything can be backdoored with relative ease.

Nico
--