Julien Vehent <jul...@linuxwall.info> wrote: > > The discussion above was biased in favor of what was best for FirefoxOS > and > > FxAndroid. > > AES-NI has also removed mosts concerns around bad implementations of > AES, so it seems that the attacks we were concerned about two years ago > do not apply anymore. >
I think they still do apply to ARM devices and to low-end Intel/AMD devices. > ChaCha20 is a different topic entirely, It is relevant here because there are many CPUs that can't do constant-time AES. > ARMv8 added support for it, so I'm guessing all apple and android mobiles > now support AES-NI, but I am no CPU architecture expert... > There are many Android devices, at least, that aren't ARMv8. > I haven't followed these discussions closely. You're proposal in those > threads > concerns tls1.3 specifically. Are we concerned about the nonce handling in > 1.1 and 1.2? There are no AEAD cipher suites in TLS 1.0 or 1.1. For TLS 1.2, it's something that needs to be figured out. Because of the 4-byte implicit part of the nonce in TLS 1.2, the statistics in DJB's batch attack need to be adjusted by some number <= 2^32. Cheers, Brian -- https://briansmith.org/ -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
