Eric,

thanks for your help again.

> > As far as I have understood, the consensus is that there are bad
> > (insecure) ECs (those from NIST which seem to be intentionally weakened /
> > broken by various tricks) and  good (secure) ECs (e.g. Ed25519).
> >
> 
> I don't think this really accurately reflects the consensus of the security
> community, which is why all the major stacks continue to support the major
> NIST prime curves (P-256 and P-384). I do think the consensus is that the
> new curves are better (faster and easier to implement correctly) which is
> why stacks have added them.

I am feeling the highest respect towards you because you took the time and know 
what you are talking about. But in this case, although not having much 
knowledge in cryptography yet, I have to disagree. I have read about possible 
side channels and intentional weaknesses of the NIST curves on dozens of 
trustworthy web sites.

There even is an RFC from the IETF titled "Elliptic Curves for Security" which 
lists which conditions an EC must fulfill to be secure, and then only 
recommends curve 25519 and curve 448. I am quite sure that the authors of that 
RFC also are deep in the matter, so I trust what they are saying.

Here is the link:
https://tools.ietf.org/html/draft-irtf-cfrg-curves-02

If you are interested, I could provide some more links to articles / white 
papers which clearly state that the NIST curves are probably contaminated and 
that they shouldn't be used.

Thanks again,

Binarus
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to