[gnutls-devel] TLS 1.3 in gnutls

Niels Möller nisse at lysator.liu.se
Mon Sep 5 18:15:18 CEST 2016

Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> writes:

> [0]. https://gitlab.com/gnutls/gnutls/milestones/8

Nettle additions:

* HKDF (RFC 5869): Should be reasonably straight forward. Any use
  besides TLS 1.3?

* RSA-PSS. I take it's mandatory? I had the impression that pss was
  almost dead (specified more than a decade ago, and very rarely used,
  hard to do constant time). We'll have to support it, I guess. Andy
  Lawrence expressed some interest on the Nettle list last December, but
  I don't know what's happened since.

  If I quote Peter Gutmann on the secsh mailing list:

   : However, PSS has seen so little interest from both the crypto
   : community and implementers that we can't really say much about it.  For
   : example for some years the NIST test vectors for RSA-PSS were completely wrong
   : (every single test except the SHA-224 ones failed), and no-one noticed.
   : I'll just let that sink in for a second.  The published test vectors from a
   : major, effectively global in reach, standards body for RSA-PSS were wrong, and
   : no-one noticed.  How much attention do you think that indicates PSS has got in
   : practice?

* x448. Should be able to reuse some of the curve25519 code, but not
  all. for curve25519, multiplying a point by a scalar is doen using a
  Montgomery ladder (see curve25519-mul.c), and I'd expect it to be
  reasonably straight forward to generalize to x448. On the other hand,
  multiplying the fixed generator by a scalar is done on the
  corresponding (twisted) edwards curve, using Pippenger's algorithm,
  and then transformed back by a change of coordinates, see below.

* ed448. This curve has slightly different structure from ed25519 (not
  twisted). Current point add code for ed25519 is suboptimal, it uses
  formulas for non-twisted curve with appropriate only sign changes, and
  it could save a mod mul by taking better advantage of the twist. So
  ed448 needs its own point addition code.


Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.

More information about the Gnutls-devel mailing list