Achim Kraus <achimkr...@gmx.net> writes: >Does using x25519 for ECDHE is significant less secure than using it with >e.g. secp384r1?
The NIST curves AFAIK are never used that way, it's only done with 25519 (there was something about it in an OpenPGP draft, but I think GPG went straight to 25519 and only used ECDSA for signatures). What I'm specifically referring to is DH run sideways, as someone put it during the X9.42 discussion, i.e. used in static-ephemeral mode to try and make it work like it's RSA. In all the code audits I've done of 25519 used that way, I've never seen it used correctly. Usually there isn't just one mistake made but many of them. It's such an obvious problem that that and misuse of RC4-equivalent modes/ algorithms like GCM and ChaCha20 are the first things I look for in crypto code. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
