I\'m developing a client/server system in Java which is not interacting with thi

Question

I'm developing a client/server system in Java which is not interacting with third party software, so I don't have to worry about compatibility.

At a certain point, I need the client and server to exchange a digitally signed value. I thought to use ECDSA, but I'm not sure what curve and what key length should I use. I'm mostly worried about the security rather than the computational time or the length of the signature.

I'm using BouncyCastle for the security related operations, so the curve and key length must be supported by it. Here you can find a list of curves supported by BouncyCastle.

Do you have any advice?

Explanation / Answer

SafeCurves lists some ways to compare the security of elliptic curves. Their security criteria are split to "ECDLP security" and "ECC security". Failing the former basically means "there is no way to use this curve securely in general" while the latter "it is difficult to implement this curve securely".

None of the (few) BouncyCastle-supported curves that have been looked at on SafeCurves pass all the criteria. Some fail the "rigidity" ECDLP criteria, which means that there is no way to show that the parameters haven't been chosen so there is a backdoor. If you fear that e.g. NSA has backdoored ECC, you should avoid those curves.

The one that does best is brainpoolp384t1. If passes all the ECDLP criteria as well as having twist security. That means it is the easiest to correctly implement. The other Brainpool curve they've looked at, brainpoolp256t1, also passes all the ECDLP criteria and so can be implemented securely. Without knowing anything about BouncyCastle's implementation, it is impossible for me to know whether the former curve has an advantage or even if both are in fact broken.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.