[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cryptography] FW: real world binary ecc

I'm writing to the list to amend my previous answer regarding OpenSSL
TLS support for binary curves.

I wrote

>     In OpenSSL's libcrypto, for example, it is possible to access
>     implementations of binary elliptic curves, but they are not supported
>     in OpenSSL's libssl, thus not available for TLS handshakes (not even
>     before RFC 8422) [...]

This part is incorrect. Binary curves are technically supported by
libssl, and what I said applies only to curves defined via explicit
parameters (vs. named curves).

It is possible to verify I was mistaken looking at:
The link is also useful to check support in previous versions looking
at the history of that code.

Regarding the upcoming 3.0 release, as I am writing this email,
support for binary curves in TLS is still available.

I apologize for the confusion!

The rest of the paragraph still stands anyway:

>     [...] and in general, as they use generic implementations
>     supporting various binary field sizes, the performance level is subpar
>     compared to highly optimized implementations for specific prime curves
>     (e.g. the nistz265 implementation for P-256 or the 128-bit
>     implementations for P-224, P-256 and P-512).

In general, the main points of the original mail that Rich shared on
my behalf are still valid, despite the mistake above, and as James
highlighted with snippets from relevant documents, the standards
deprecating support for binary curves are consistent in the remarks
about limited adoption.


Nicola Tuveri
The cryptography mailing list
cryptography AT metzdowd.com