Julien Vehent <jul...@linuxwall.info> wrote:

> > The discussion above was biased in favor of what was best for FirefoxOS
> and
> > FxAndroid.
> AES-NI has also removed mosts concerns around bad implementations of
> AES, so it seems that the attacks we were concerned about two years ago
> do not apply anymore.

I think they still do apply to ARM devices and to low-end Intel/AMD devices.

> ChaCha20 is a different topic entirely,

It is relevant here because there are many CPUs that can't do constant-time

> ARMv8 added support for it, so I'm guessing all apple and android mobiles
> now support AES-NI, but I am no CPU architecture expert...

There are many Android devices, at least, that aren't ARMv8.

> I haven't followed these discussions closely. You're proposal in those
> threads
> concerns tls1.3 specifically. Are we concerned about the nonce handling in
> 1.1 and 1.2?

There are no AEAD cipher suites in TLS 1.0 or 1.1.

For TLS 1.2, it's something that needs to be figured out. Because of the
4-byte implicit part of the nonce in TLS 1.2, the statistics in DJB's batch
attack need to be adjusted by some number <= 2^32.

dev-tech-crypto mailing list

Reply via email to