Filippo Valsorda :go: on Nostr: My take on this is that weird parameters like P-521 are less secure than their ...
My take on this is that weird parameters like P-521 are less secure than their “weaker” alternatives.
Less used, more likely to have bugs.
521 is not even a multiple of 8! Handling that requires the single most dangerous line in Go crypto, in the same function that PuTTY got wrong.
Still, this is the spec’s fault: if ECDSA defined how to turn random bytes + key + msg into a signature, PuTTY wouldn’t have had to invent it, and could have checked test vectors.
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
Less used, more likely to have bugs.
521 is not even a multiple of 8! Handling that requires the single most dangerous line in Go crypto, in the same function that PuTTY got wrong.
Still, this is the spec’s fault: if ECDSA defined how to turn random bytes + key + msg into a signature, PuTTY wouldn’t have had to invent it, and could have checked test vectors.
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html