Julien Vehent <jul...@linuxwall.info> wrote:
> > The discussion above was biased in favor of what was best for FirefoxOS
> > FxAndroid.
> AES-NI has also removed mosts concerns around bad implementations of
> AES, so it seems that the attacks we were concerned about two years ago
> do not apply anymore.
I think they still do apply to ARM devices and to low-end Intel/AMD devices.
> ChaCha20 is a different topic entirely,
It is relevant here because there are many CPUs that can't do constant-time
> ARMv8 added support for it, so I'm guessing all apple and android mobiles
> now support AES-NI, but I am no CPU architecture expert...
There are many Android devices, at least, that aren't ARMv8.
> I haven't followed these discussions closely. You're proposal in those
> concerns tls1.3 specifically. Are we concerned about the nonce handling in
> 1.1 and 1.2?
There are no AEAD cipher suites in TLS 1.0 or 1.1.
For TLS 1.2, it's something that needs to be figured out. Because of the
4-byte implicit part of the nonce in TLS 1.2, the statistics in DJB's batch
attack need to be adjusted by some number <= 2^32.
dev-tech-crypto mailing list