Eric, thanks for your help again.
> > As far as I have understood, the consensus is that there are bad > > (insecure) ECs (those from NIST which seem to be intentionally weakened / > > broken by various tricks) and good (secure) ECs (e.g. Ed25519). > > > > I don't think this really accurately reflects the consensus of the security > community, which is why all the major stacks continue to support the major > NIST prime curves (P-256 and P-384). I do think the consensus is that the > new curves are better (faster and easier to implement correctly) which is > why stacks have added them. I am feeling the highest respect towards you because you took the time and know what you are talking about. But in this case, although not having much knowledge in cryptography yet, I have to disagree. I have read about possible side channels and intentional weaknesses of the NIST curves on dozens of trustworthy web sites. There even is an RFC from the IETF titled "Elliptic Curves for Security" which lists which conditions an EC must fulfill to be secure, and then only recommends curve 25519 and curve 448. I am quite sure that the authors of that RFC also are deep in the matter, so I trust what they are saying. Here is the link: https://tools.ietf.org/html/draft-irtf-cfrg-curves-02 If you are interested, I could provide some more links to articles / white papers which clearly state that the NIST curves are probably contaminated and that they shouldn't be used. Thanks again, Binarus _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy

