[EXPERIMENTAL-PATCH] Curve25519 encryption support (updated)

NIIBE Yutaka gniibe at fsij.org
Fri Jul 24 11:15:38 CEST 2015


Hello,

Thank you for your comment.  Let me clarify.

On 07/24/2015 03:38 PM, Christian Grothoff wrote:
> Why have a flag for the sane/safe behaviour? If we need a flag at all,
> shouldn't we have it for the unsafe behaviour? (and then we can just
> call it 'unsafe', to be appropriately discouraging).  AFAIK encryption
> support is kind-of new anyway, so hopefully this isn't needed to avoid
> breaking backwards-compatibility with anything that has been deployed...

We already have "classic" ECC (including ECDH encryption) with the
NIST, Brainpool, and GOST curves.  Well, I'd say, it is not-that-safe
if we compare modern ECC with safe curve.  Its deployment (libgcrypt
feature of classic ECC) is not that popular now, but it's published
somehow by GnuPG 2.1's ECC support.

With Curve25519, we are introducing new safer practice of
sec-is-multiplied-by-cofactor-and-msb-set.

I think that this practice can be applied to existing ECC code (since
all existing curves have cofactor=1, only "msb-set" part is relevant),
if/when we want to improve existing ECC code to be constant time.
-- 



More information about the Gcrypt-devel mailing list