[tor-dev] 转发： Which elliptic curve Tor use & use safe curve only

To: "tor-dev@xxxxxxxxxxxxxxxxxxxx" <tor-dev@xxxxxxxxxxxxxxxxxxxx>

Subject: [tor-dev] 转发： Which elliptic curve Tor use & use safe curve only

Date: Thu, 21 Nov 2019 13:12:06 +0000

Delivery-date: Thu, 21 Nov 2019 09:14:20 -0500

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1574341931; bh=kqtEfj/7Eggunu792CQ1V39vurdYa1Oct3d5U3Oe4lc=; h=Date:To:From:Reply-To:Subject:In-Reply-To:References:Feedback-ID: From; b=hGHRpna3wxvLahPmwpeq0HrdddQoM+UDXl6D6i/WGQLZsAyISOwuLaCjjy+C+RS7Y pvDlmk0DulUbBSgH2BGQNQ2IB9a3W3Ba4FCUJgoDHqN7L4QEobleaRypg8yQqB5ity MP2O7B0/HtHHHoi0YnVpyjkQgkiJa+MaxczNKmxE=

Feedback-id: R_5XV_vDfJ38DR3xAxkt8cSadhEpyMfAeeXX3t5PO76teaapxVkWNsJwoNravFjT2AVgmPP-dSRxGEGp_Pb7cw==:Ext:ProtonMail

In-reply-to: <mailman.210.1574301791.1369.tor-dev@lists.torproject.org>

List-archive: <http://lists.torproject.org/pipermail/tor-dev/>

List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>

List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>

List-post: <mailto:tor-dev@lists.torproject.org>

List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>

List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>

References: <mailman.210.1574301791.1369.tor-dev@lists.torproject.org>

Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx

Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Please use Ed448-Goldilocks or named Curve448 (suggest) and Curve25519 only. Curve448 potentially offering 224 bits of security, even safer than NIST P-384. Curve25519 potentially offering 128 bits of security and safer and faster than NIST P-256. More important, they're both ECC Security, not only ECDLP Security. ECC Security doesn't equal to ECDLP Security.

" Unfortunately, there is a gap between ECDLP difficulty and ECC security. None of these standards do a good job of ensuring ECC security. There are many attacks that break real-world ECC without solving ECDLP. The core problem is that if you implement the standard curves, chances are you're doing it wrong:

-Your implementation produces incorrect results for some rare curve points.

-Your implementation leaks secret data when the input isn't a curve point.

-Your implementation leaks secret data through branch timing.

-Your implementation leaks secret data through cache timing. " (https://safecurves.cr.yp.to/)

And those curves are recommended by RFC 7748: https://tools.ietf.org/html/rfc7748

If possible, use Curve448 only. It's even safer than NIST P-384 and it's new.

Attachment: signature.asc
Description: PGP signature

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev