IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: [Curdle] State of draft-ietf-curdle-ssh-kex-sha2?



Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>As an implementor, it is highly unlikely I will support anything elliptic
>curve in the foreseeable future.

I support it but it's disabled by default because I can't think of a commonly-
used cryptosystem more riddled with side-channels than (EC)DSA, and most of
them end up leaking the private key (that's ECDSA, not 25519 which is too
novel/nonstandard to be usable with anything I work with).  In fact a recent
paper on yet another set of side-channel attacks (either "Minerva: The Curse
of ECDSA Nonces" or "Big Numbers - Big Troubles") mentions that this is merely
the latest set of side-channels that need patching, and more are expected in
the future.  And that's after several years of patching ECDSA side-channels
already.

At least with RSA you can just blind and be mostly done with it, you don't
have to deal with a mechanism where there's a linear relation between the
signing nonce and the private key, with everything around that tied up in
side-channels.

Peter.



Home | Main Index | Thread Index | Old Index