On 01/23/2013 04:37 PM, Niels Möller wrote:
Nikos Mavrogiannopoulos n.mavrogiannopoulos@gmail.com writes:
My comments were not for ECDSA specifically. ECDSA is pretty fragile.
For me, ECDSA is the primary application of elliptic curves. So then it seems important to use a point multiplication k * G which has a running time independent of the bits in k. That's why I find the method used in gnutls a bit worrying.
Not for TLS. In TLS ECDHE is the primary application of elliptic curves. In the last SSL observatory data the RSA keys on the internet were 4 million+, whereas the ECDSA keys were only 6 (that's three years ago, but I don't think there was a radical change since then). Typically one uses ECDHE with RSA keys in TLS.
Nevertheless, the method that you use for the timing sensitive parts of the code, doesn't need to match the optimized version.
regards, Nikos