Moving @_pm’s comment in the PR to here for the discussion:
paulmillr commented yesterday
-1
- 256r1 is usually more vulnerable to timing attacks than stuff like 25519.
- 256r1 is not even recommended by nist at this point, 384r1 is.
- There are some rumors with regards to general security of r1 curves, it’s unclear.
- Adding a new elliptic curve impl into ALL execution layer clients is not a trivial task. I don’t think the feature is too useful for this.
My comments:
- The Golang crypto library works in constant time for the secp256r1 curve. Considering that the timing attacks are implementation dependent, it can be assumed to be safe.
- I think that NIST’s recommendations points to the PQC, which are not ready for the production.
- Apart from rumors, I did not see some definite evidences regarding security risks.
- I see that the secp256r1 curve is the most mass adopted curve and it has a widespread use in many cases. It would be a great step on the mass adoption of Ethereum.
I would love to hear more about any ideas and researches that analyzing the vulnerabilities regarding the security risks of the curve.