Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This article can be summed up as "Probably Ed25519 is better, on the assumption you're using a good library, but it's ok to use a strong P-256 library if you plan FIPS compliance in the future." With the related (personal) addendum that NIST needs to get its ass in gear and certify Ed25519.

Unfortunately I think it's a little low-level for most implementers, who just want to know which library to use and are scared of things like cofactors and prime-order groups.

Also: it's 2022 and has an ECC side-channel attack ever been used in the wild?




> Unfortunately I think it's a little low-level for most implementers, who just want to know which library to use and are scared of things like cofactors and prime-order groups.

Ah, yeah, totally fair. I have other blog posts that tackle high-level things. ;)

> Also: it's 2022 and has an ECC side-channel attack ever been used in the wild?

Do you mean by criminal hacking groups?

If not, the best example I know of is: https://auth0.com/blog/critical-vulnerability-in-json-web-en...

If you do mean by criminals, I'm not in the malware/cybercrime part of the security industry, so I have no idea.


Isn't libsodium the library to use?


If you're writing an application, you'd better off with a library even higher on the abstraction layer. The one the abstracts away the choice of specific cryptographic primitives. Without being a domain expert your choices might end up subpar, your use of primitives might end up subpar, your attention to detail might end up subpar, etc.

Also, it would be nice to talk to experts in security, since choosing a library and choosing a curve is a very small part of it. You'd have way more ways to fuck up, say, key management, or miss a glaring hole in some other place of your system.


This is precisely what I recommend in my "how to learn cryptography as a programmer" post.

https://soatok.blog/2020/06/10/how-to-learn-cryptography-as-...

Start with the highest-level, hard-to-get-wrong abstraction. If you stop learning there, you're safe!

Then drill down as you be come more of an expert. Libsodium is step 2 from something fit-for-purpose.


That would be my intuitive recommendation, but canvassing experts I haven't found a clear recommendation across all languages. Some have recommended Tink, others have recommended (ugh) OpenSSL. Javascript is particularly fraught: is it better to use libsodium compiled via emscripten, or something native? It's depressing that we don't have agreement here.


Maybe I'll write about that next ;)

For JavaScript: emscripten/wasm/etc. don't currently provide constant-time guarantees, so you're better off using the native crypto module.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: