Hello, Why not Curve25519, if you use ECC?
Damien Cassou <dam...@cassou.me> wrote: > curves and (2) Bernstein’s Curve 25519 is hard to protect against side > channel attacks when being implemented in embedded devices. Quite interesting opinion. I wonder what kinds of side channel attacks are discussed there. Well, it's the first time for me to hear such an opinion. Are there some confusions? Curve25519 is designed against side channel attacks in mind. Also, it comes with a reference implementation. Even if an implementation doesn't use the methodology directly, it is a bit harder to write weaker implementation (against side channel attack), if an implementer understands Curve25519 correctly. <-- this is my own opinion. I wrote Curve25519 implementation for libgcrypt. So far, libgcrypt doesn't have field specific methods, but libgcrypt 1.9.x will have those for Curve25519. If we compare curves in libgcrypt, I think that Curve25519 is good one. I also wrote Curve25519 implementation for Gnuk. Well, I also wrote ones of NIST P-256 and secp256k1 for Gnuk. I believe Curve25519 is the best among those (and RSA). Gnuk runs on STM32F103 @ 72MHz (or GD32F103 @ 96MHz). This is an embedded device, of my daily use. -- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users