Re: [TLS] Twist security for brainpoolp256r1
Alyssa Rowan <akr@akr.io> Sat, 15 November 2014 08:50 UTC
Return-Path: <akr@akr.io>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7283B1A6EE5 for <tls@ietfa.amsl.com>; Sat, 15 Nov 2014 00:50:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.602
X-Spam-Level:
X-Spam-Status: No, score=-1.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cT1XE93EMSvw for <tls@ietfa.amsl.com>; Sat, 15 Nov 2014 00:50:39 -0800 (PST)
Received: from entima.net (entima.net [78.129.143.175]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 597511A3BA7 for <tls@ietf.org>; Sat, 15 Nov 2014 00:50:39 -0800 (PST)
Message-ID: <546713DB.5020201@akr.io>
Date: Sat, 15 Nov 2014 08:50:35 +0000
From: Alyssa Rowan <akr@akr.io>
MIME-Version: 1.0
To: Oleg Gryb <oleg@gryb.info>, Oleg Gryb <oleg_gryb@yahoo.com>, Manuel Pégourié-Gonnard <mpg@polarssl.org>, Johannes Merkle <johannes.merkle@secunet.com>, "tls@ietf.org" <tls@ietf.org>
References: <54647819.3020802@polarssl.org> <2109273109.730596.1416005173738.JavaMail.yahoo@jws10656.mail.bf1.yahoo.com>
In-Reply-To: <2109273109.730596.1416005173738.JavaMail.yahoo@jws10656.mail.bf1.yahoo.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/r9rFAcL2yGeaHoIpi9Gkgw4kOik
Subject: Re: [TLS] Twist security for brainpoolp256r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2014 08:50:41 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 14 November 2014 22:46:13 GMT+00:00, Oleg Gryb <oleg_gryb@yahoo.com> wrote: > I had to change 'speed.c' in openssl to add barinpoolp256r1 (by > default it simply not there). The difference for both ecdsa > (signature) and ecdh (diffie-hellman-merkle key exchange) is less > than 5%, so P-256 'optimization' in openssl is definitely > overrated. No, you just don't have the optimisation turned on: that's using the old unoptimised generic prime routine. If you're on 1.0.1, Configure/make depend/make it with flag enable-ec_nistp_64_gcc_128 (if you're on x86-64) to use the agl/Emilia Kasper optimised secp224r1/secp256r1/secp521r1 routines, because they're not on by default. Or try the 1.0.2 trunk for Intel's even faster AVX2 assembly routines. You will need to make sure it's using the correct library version. P256 can go at least twice as fast as that, and then some, and that should be about what you're seeing. Brainpool, unfortunately, just can't go that fast; the pseudo-random primes don't have a structure which allows optimisation. But if a generic multiplier is OK for your performance needs (like you're using here, or if you have hardware which can do it well), Brainpool will be okay. - -- /akr. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUZxPbAAoJEOyEjtkWi2t6cQUP/1WrBq/Zm+T+wDBqOieqJipG zneBxkEOUoTmfGGw+2qJO2m9K4mqN+c4Kb31FiJcXFKnXOwHspAmSyh7C/7pkq2w GI/qLk8vYz2N0x8796iR9LkocsbCe1rXaAZw7GPbz1Erjvtvjx/5lGNI4kKgOD5a +jSN4dlp16S6WfAWzgbdTnRx7cTX22NqtoH0LZQBXAQd7Z3WuanOYVOQMD30fl8b DrvyybrZkpqRc8clUmbu3J3/G+ZrxmY6Xgg3TlN6EmA3uhOMgTkRss9jjrdxyoSx xYKP2HfYpd3yYe1hIHbPf/1jKdHpDIWNhZJ3bQdCEyKm1XrW7u5JBaOLY07zqPMj X8EldFhGwI62HPISYFCR2rbQm3xODtxcxWkik2T5LX8ALLQsRsl95LB+PCcYXBJ7 fsxGW/KkUjdZXvzIQ9bQyiQRQ7Fzg2lEcHKFq97PFQoqd7FWMIs/U0C58p8U0mtW H/FRyr1/hZeBKqCM0Id/cgzuHbD9VrsJiFN+i4wkHMwYNia/nNjBpv0a8Aby15/i t607G3nl6aMZYyyyi0+YGbUEuIOIDJ1wb2MDy+UxacSRdWPlhqe9HBwbkbbrMwrg rXR/jyAOASI4sdilOA51wUKs/mLA2gmwTA+RTlSqfnjMJReA+gm2bI5uARxIdcfG RCOq3HlwDDGI4pQbd82R =hohO -----END PGP SIGNATURE-----
- [TLS] Twist security for brainpoolp256r1 Oleg Gryb
- Re: [TLS] Twist security for brainpoolp256r1 Johannes Merkle
- Re: [TLS] Twist security for brainpoolp256r1 Oleg Gryb
- Re: [TLS] Twist security for brainpoolp256r1 Manuel Pégourié-Gonnard
- Re: [TLS] Twist security for brainpoolp256r1 Oleg Gryb
- Re: [TLS] Twist security for brainpoolp256r1 Johannes Merkle
- Re: [TLS] Twist security for brainpoolp256r1 Johannes Merkle
- Re: [TLS] Twist security for brainpoolp256r1 Oleg Gryb
- Re: [TLS] Twist security for brainpoolp256r1 Manuel Pégourié-Gonnard
- Re: [TLS] Twist security for brainpoolp256r1 Watson Ladd
- Re: [TLS] Twist security for brainpoolp256r1 Manuel Pégourié-Gonnard
- Re: [TLS] Twist security for brainpoolp256r1 Oleg Gryb
- Re: [TLS] Twist security for brainpoolp256r1 Ilari Liusvaara
- Re: [TLS] Twist security for brainpoolp256r1 Alyssa Rowan
- Re: [TLS] Twist security for brainpoolp256r1 Oleg Gryb
- Re: [TLS] Twist security for brainpoolp256r1 Oleg Gryb