In TLS, order curves by resource usage, not size

TLS used to prefer larger curves, under the idea that a larger curve has a higher security strength and is therefore harder to attack. However, brute force attacks are not a practical concern, so this was not particularly meaningful. If a curve is considered secure enough to be allowed, then we might as well use it. So order curves by resource usage. The exact definition of what this means is purposefully left open. It may include criteria such as performance and memory usage. Risk of side channels could be a factor as well, although it didn't affect the current choice. The current list happens to exactly correspond to the numbers reported by one run of the benchmark program for "full handshake/s" on my machine. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-02 15:18:12 +02:00 · 2021-06-02 15:18:12 +02:00 · b1940a76ad
commit b1940a76ad
parent 377c91e1b7
4 changed files with 28 additions and 21 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -2916,8 +2916,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
 * \note           The default list is the same set of curves that
 *                 #mbedtls_x509_crt_profile_default allows, plus
 *                 ECDHE-only curves selected according to the same criteria.
- *                 Larger (generally more secure but slower) curves are
- *                 preferred over smaller curves.
+ *                 The order favors curves with the lowest resource usage.
 *
 * \param conf     SSL configuration
 * \param curves   Ordered list of allowed curves,