[Ach] preference of curves in ECC - ECDSA, ECDH

Aaron Zauner azet at azet.org
Sun Mar 9 19:54:49 CET 2014


MacLemon wrote:
> I'm totally for adding this as it will likely improve the quality of ECC a lot and hopefully make us less dependent on NIST curves once clients start to support better curves like 25519. (Chrom(e|ium) already does.)
> I'm in for testing this with nginx.

> I'm also very skeptical about ECDSA because of the “strange properties” of DSA that Nadja Heninger mentioned. (If you ever use a nonce twice you're leaking your private key to an adversary capable of recording both messages, which we know to be happening for both.)
It's up to the protocol designers and implementors to handle this
correctly. It does not mean that ECDSA is not safe to use. E.g. if you
use your IV/nonce more than once with certain AES block cipher modes
you're basically doing the same thing. Random IVs in AES-GCM are also
unsafe. It's not easy to implement correctly at all.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140309/a444a840/attachment.sig>

More information about the Ach mailing list