Choice of ECC curve on usb token

NIIBE Yutaka gniibe at
Fri Jun 29 13:28:14 CEST 2018


Why not Curve25519, if you use ECC?

Damien Cassou <damien at> wrote:
> curves and (2) Bernstein’s Curve 25519 is hard to protect against side
> channel attacks when being implemented in embedded devices.

Quite interesting opinion.  I wonder what kinds of side channel attacks
are discussed there.  Well, it's the first time for me to hear such an
opinion.  Are there some confusions?

Curve25519 is designed against side channel attacks in mind.  Also, it
comes with a reference implementation.  Even if an implementation
doesn't use the methodology directly, it is a bit harder to write weaker
implementation (against side channel attack), if an implementer
understands Curve25519 correctly.  <-- this is my own opinion.

I wrote Curve25519 implementation for libgcrypt.  So far, libgcrypt
doesn't have field specific methods, but libgcrypt 1.9.x will have those
for Curve25519.  If we compare curves in libgcrypt, I think that
Curve25519 is good one.

I also wrote Curve25519 implementation for Gnuk.  Well, I also wrote
ones of NIST P-256 and secp256k1 for Gnuk.  I believe Curve25519 is the
best among those (and RSA).  Gnuk runs on STM32F103 @ 72MHz (or GD32F103
@ 96MHz).  This is an embedded device, of my daily use.

More information about the Gnupg-users mailing list