Re: [TLS] Twist security for brainpoolp256r1

Oleg Gryb <oleg_gryb@yahoo.com> Sat, 15 November 2014 16:32 UTC

Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C9541A88AC for <tls@ietfa.amsl.com>; Sat, 15 Nov 2014 08:32:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.894
X-Spam-Level:
X-Spam-Status: No, score=-0.894 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OtdVW6LOV1pW for <tls@ietfa.amsl.com>; Sat, 15 Nov 2014 08:32:04 -0800 (PST)
Received: from nm46-vm10.bullet.mail.bf1.yahoo.com (nm46-vm10.bullet.mail.bf1.yahoo.com [216.109.114.203]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52BB61A1BD1 for <tls@ietf.org>; Sat, 15 Nov 2014 08:32:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1416069123; bh=RGfnkyEawi8umFe+DSXp3RpiCRzk6B9Z9ByUHkrozV4=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=WE8OLRFP0ReG6mwOYN4/nOZB9WO0Ub7AD0Bq8LBp8egCtggAkMYWK2E+dYjajsfpyeVbeKSjhgON5Uj+T9J4/pW5NmPnGg7MZwq76Vb6cFiav2QiBO49WiVGWbyYTpno+9wRmPFT6m06CERWlqHTQEx/jd96yGbihMqQrA1VTYxFWkDezsGaHd92FEEYyHOPxDSgGioC/KJ/y0hzgBVkI829fi49y7ggqv6BIXAuEc7/svHP19P6M6MTy91B/aqOuLvFblWOwg4rk07YFHsz+sVhWxbPZEzSj0+cUCCdqstsmXwE0H8xVGtCUXhJ9WDuVbSOOwIWkYgroErQP8XGAA==
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.com; b=Sn8zNH3CyZH0ooskw/STSFMuat3MrUcxajwJms5DhLUm4em8YkTlDT4QqBGNUSiyN6VVqvxYK44hQpU7fL28kzwAfyieWIHpWeeQt/4NJ4Jtz3f694xPSOsZQMAhflMdB94BzxeJuANoImeQNdDMonUnEgZu420eYZhXHuwCLETB7YPRaZA0MZBdRUDPAbQiIuPSI7k6lQ4+8u61QAkKCTXRTqF3YJKgIVJzh4NP2lq7KU7pHrxbWsfOp9AGavWYFlExcwhjhdqYjksaB0/7QGh6jyQxP6HItPh1XMxm0G8dRgL4WfqUMzy6Wnb8U3CKqZ2I56rEG/qddyhRAYMajQ==;
Received: from [66.196.81.173] by nm46.bullet.mail.bf1.yahoo.com with NNFMP; 15 Nov 2014 16:32:03 -0000
Received: from [98.139.212.237] by tm19.bullet.mail.bf1.yahoo.com with NNFMP; 15 Nov 2014 16:32:03 -0000
Received: from [127.0.0.1] by omp1046.mail.bf1.yahoo.com with NNFMP; 15 Nov 2014 16:32:03 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 370947.86434.bm@omp1046.mail.bf1.yahoo.com
X-YMail-OSG: xsAI7EkVM1kf8YM.GUVnVwCtB1SdMik.pcnQ_LAkbTt7GiZSfgMMYm1zlj_0sZb tfLZzY1pRIQPFSMUWjLpr_.oxI1w0QsbCfwFPHTw8N8SIuGQi3qSzwSS4aXjoz7wclHgUBoqjoNe .ayllTkdsyYo.eOs0vPeWTF1yZikSjuu0YDVNkaSjBUk5RI4uDeZ3xLFK2_JoDQdP8A4KxRdn8OK bbDVn398UjxmQxr1m6e5JEtMUmk1Zt4k5r9buQdANQyL2tNNvOXnewiAt9_7FGkS9cnLYtN1AP39 mz3Pd0FfjMY4BlHWi_qCZNp.EWBnfhy0fP538vOVdzaljcGyP4SJ0Lt00JfuRpa2fqPV3qXz2K_C IzYoCNJK5_uT1jSKKWU6H.9moGcFUQwqkHxAsjI_4AWPcv7_MlewmaNZtRX7rbzkTsFy8xv1PmVr 53ToRVgqIb9cWZt.ogA0AbVlaEz2i25uFVs3vHxHX.x7IfmyJmdaNIrvuw8DxoDFnjzQY
Received: by 76.13.27.134; Sat, 15 Nov 2014 16:32:02 +0000
Date: Sat, 15 Nov 2014 16:30:40 +0000 (UTC)
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: Alyssa Rowan <akr@akr.io>, Oleg Gryb <oleg@gryb.info>, =?UTF-8?Q?Manuel_P=C3=A9gouri=C3=A9-Gonnard?= <mpg@polarssl.org>, Johannes Merkle <johannes.merkle@secunet.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <1034833904.885136.1416069040217.JavaMail.yahoo@jws10657.mail.bf1.yahoo.com>
In-Reply-To: <546713DB.5020201@akr.io>
References: <546713DB.5020201@akr.io>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/xPIFF4L-Z54ae8rhgY1MUR_QhoA
Subject: Re: [TLS] Twist security for brainpoolp256r1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Nov 2014 16:32:06 -0000




----- Original Message -----
> From: Alyssa Rowan <akr@akr.io>
> To: Oleg Gryb <oleg@gryb.info>; Oleg Gryb <oleg_gryb@yahoo.com>; Manuel Pégourié-Gonnard <mpg@polarssl.org>; Johannes Merkle <johannes.merkle@secunet.com>; "tls@ietf.org" <tls@ietf.org>
> Cc: 
> Sent: Saturday, November 15, 2014 12:50 AM
> Subject: Re: [TLS] Twist security for brainpoolp256r1
> 
> No, you just don't have the optimisation turned on: that's using the
> old unoptimised generic prime routine.
> 
> If you're on 1.0.1, Configure/make depend/make it with flag
> enable-ec_nistp_64_gcc_128 (if you're on x86-64) to use the agl/Emilia
> Kasper optimised secp224r1/secp256r1/secp521r1 routines, because
> they're not on by default.
> 
> Or try the 1.0.2 trunk for Intel's even faster AVX2 assembly routines.
> 
> You will need to make sure it's using the correct library version.
> 
> P256 can go at least twice as fast as that, and then some, and that
> should be about what you're seeing.
> 
> Brainpool, unfortunately, just can't go that fast; the pseudo-random
> primes don't have a structure which allows optimisation. But if a
> generic multiplier is OK for your performance needs (like you're using
> here, or if you have hardware which can do it well), Brainpool will be
> okay.
> 


Thanks, it's very helpful and I'll try. Judging from multiple Linux forums it's recommended and its estimated speed increases is 2x for ECDHE, less so for ECDSA though. I'm wondering why no-ec_nistp_64_gcc_128 is still a default. Are there any indications that either multiplier algorithm or its openssl implementation are error prone?