[gnutls-devel] TLS 1.3 in gnutls
nisse at lysator.liu.se
Mon Sep 5 18:15:18 CEST 2016
Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> writes:
> . https://gitlab.com/gnutls/gnutls/milestones/8
* HKDF (RFC 5869): Should be reasonably straight forward. Any use
besides TLS 1.3?
* RSA-PSS. I take it's mandatory? I had the impression that pss was
almost dead (specified more than a decade ago, and very rarely used,
hard to do constant time). We'll have to support it, I guess. Andy
Lawrence expressed some interest on the Nettle list last December, but
I don't know what's happened since.
If I quote Peter Gutmann on the secsh mailing list:
: However, PSS has seen so little interest from both the crypto
: community and implementers that we can't really say much about it. For
: example for some years the NIST test vectors for RSA-PSS were completely wrong
: (every single test except the SHA-224 ones failed), and no-one noticed.
: I'll just let that sink in for a second. The published test vectors from a
: major, effectively global in reach, standards body for RSA-PSS were wrong, and
: no-one noticed. How much attention do you think that indicates PSS has got in
* x448. Should be able to reuse some of the curve25519 code, but not
all. for curve25519, multiplying a point by a scalar is doen using a
Montgomery ladder (see curve25519-mul.c), and I'd expect it to be
reasonably straight forward to generalize to x448. On the other hand,
multiplying the fixed generator by a scalar is done on the
corresponding (twisted) edwards curve, using Pippenger's algorithm,
and then transformed back by a change of coordinates, see below.
* ed448. This curve has slightly different structure from ed25519 (not
twisted). Current point add code for ed25519 is suboptimal, it uses
formulas for non-twisted curve with appropriate only sign changes, and
it could save a mod mul by taking better advantage of the twist. So
ed448 needs its own point addition code.
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
More information about the Gnutls-devel