Re: [TLS] On Curve25519 and other possibilities (e.g. ietf256p, ietf384p, ietf521p,

[Watson Ladd <watsonbladd@gmail.com>]

On Jun 28, 2014 9:58 AM, "Nigel Smart" <nigel@cs.bris.ac.uk> wrote:
>
> Hi
>
>
>> One way to attempt to unify the diverse world of ECC curves is to focus
>> on the underlying field, as opposed the curve itself. Consider Fp
>> operations with p=2^255-19 or p=2^256-189. In other words, for
>> n={256,384,512}, chose the closest C: p=2^n-C is a prime and make this p
>> "MUST". People who demand random primes will have to play along and
>> accept less "randomness" in their curves.
>
>
> Alas there could be some issues with primes close to powers of two.
> See our recent side channel attacks on EC-DSA with the Eurovision
> titles on ePrint "Just a Little Bit" etc. Such a p forces the
> group order to also be close to a power of two (by Hasse's Theorem).
>
> Whilst these papers show there are problems with the NIST choices
> in this respect, the above choices of p would be even worse.

Simple solution: write constant time software. The principal of side
channel attacks being established, one simply eliminates them all.

>
> So unifying in this respect would be a bad idea IMHO.
>
> Nigel
> --
> Prof. Nigel P. Smart         | Tel +44 (0)117 9545163
> Computer Science Department, | Fax +44 (0)117 9545208
> Woodland Road,               | Email nigel@cs.bris.ac.uk
> Bristol, BS8 1UB, UK         | http://www.cs.bris.ac.uk~nigel
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls