Re: Brainpool Curves in Fedora (openssl, libgcrypt, gnupg)

Christian Glombek <cglombek@xxxxxxxxxx> · Fri, 3 Dec 2021 00:24:47 +0100

I'm hitting this problem as well with the German ID (eAU), see BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2000306

Some BSI tech guidelines relating to ECCs are actually available in english, too, e.g.:

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03111/BSI-TR-03111_V-2-0_pdf.pdf?__blob=publicationFile
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03116/BSI-TR-03116-TS_v1.pdf?__blob=publicationFile&v=1

Quoting from the former doc:
> 1.1. Patents and side-channel attacks
> In implementations, patents and side-channel attacks play an important role.
> The algorithms described in this guideline have been carefully selected to allow patent-free
> and/or license-free implementations. Nevertheless, some of the described algorithms or its par-
> ticular implementations may be subject of patent rights. The BSI shall not be held responsible
> for identifying any or all such patent rights.
> Implementors and security evaluators shall also pay attention to [6], which gives a general
> guidance to assess the side-channel resistance of implementations on smartcards

There is more anecdotal evidence e.g. here by ARM Mbed:
https://tls.mbed.org/kb/cryptography/elliptic-curve-performance-nist-vs-brainpool 
Quote:
Can you optimize Brainpool curves to be as fast as the NIST curves?

Unfortunately, this is not possible. The design decision for Brainpool to use random primes was aimed at:

avoiding possible patent issues with fast reduction algorithms
avoiding potential security issues with non-random primes

Nitrokey docs also show using Brainpool curves in their docs: https://docs.nitrokey.com/pro/linux/ecc.html 

> [...] A suitable version of GnuPG is included in the GNU/Linux distributions 
Ubuntu (since 18.04), Debian (from Stretch onwards),
> Arch Linux, Fedora 
(from Release 26 onwards) and openSUSE Tumbleweed [...]

They apparently haven't tested their guide on Fedora in a while ;)

All of the above makes it look to me as though Brainpool curves were specifically designed to NOT touch on any patents. 
I'd be curious if any other
 of the big distros exclude the Brainpool curves too. On the linked BZ 
it was stated that Xubuntu includes them.

It would be great if the current exclusion of those curves would be reevaluated.

Thanks,
Christian

_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure