0

I'm implementing a token server and considering backing them with ECDSA. The options from the library I'm using expose the NIST curves P-256, P-384, and P-521. The safe curves site does not list P-521, but notes the others as "unsafe" https://safecurves.cr.yp.to/index.html.

Would I be unwise to choose an "unsafe" curve over an RSA implementation? I see P-256 is widely used yet listed as unsafe. How should I reason about this?

gabeghiskhan
  • 1
  • 1
  • 1
    @kelalaka: I would disagree; just because one specific side channel defense against some (not all) side channel attacks becomes harder to implement doesn't mean that any P521 implementation is automatically insecure. – poncho Apr 05 '21 at 20:29
  • @poncho Maybe I was not clear. I did not mean to that. One can easily implement if the Montgomery (birationally) equivalent exists and this doesn't mean that others can't have secure implementations ( deleted the comment since it has some dangling sentence) – kelalaka Apr 05 '21 at 20:39
  • do you have to use NIST curves? – kelalaka Apr 05 '21 at 22:13
  • 2
    I think that "unsafe" in the parlance of Lange and Bernstein means: easier to bugger up, and unclear if there have been any tricks performed while generating the curve parameters. Still, assuming that the NSA played nice and that your implementation performs the rudimentary checks (e.g. if the public point is on the curve) then you should be alright. To prevent the former you could use either the Brainpool curves, the Curve25519 or the larger "Goldilocks" curve. – Maarten Bodewes Apr 05 '21 at 22:33
  • Generally P-256 is as secure as 3072 to 4096 bit RSA. That is against classical attacks, it is much less secure than those when attacked by a future full fledged quantum computer as it only requires some 1500 logical qubits, and then only once. But we're now at zero logical (i.e. stable, interconnected) qubits still. – Maarten Bodewes Apr 05 '21 at 22:35

0 Answers0