|
|
|
|
|
|
by tptacek
3845 days ago
|
|
|
GCM is extremely tricky to implement safely. ECDH itself is very easy to implement; it's just DH (which is probably the simplest algorithm in cryptography), but in a different group. ECC (the group) is hard to implement safely. The NIST P-curves are tricky to implement relative to Curve25519. But there's also a lot more study of how to safely implement the NIST P- curves than there is for how to make a constant-time GCM. I don't know. They seem like comparably difficult tasks. |
|
|