ECC and smartcards

Matthias-Christian Ott ott at
Tue Oct 1 20:09:25 CEST 2013

On 10/01/13 14:27, Werner Koch wrote:

> I have more and more doubts that using ECDSA by default in GnuPG is the
> Right Thing.  Although I don't think that the NIST curves have been
> selected for possible future algorithm break or a chance for broken
> implementations, we can't be sure about it and many people will probably
> not trust them for non-technical reasons.  Thus a released 2.1.0 will
> likely use Bernstein et al.'s curves by default.

And thus limiting the security to "128 bits".

> Given that it is unlikely that we will find an implementation of
> Curve25519 in a proprietary smartcard any time soon, I am bit lost on
> what do do with ECC and smartcards.

The NXP Java Cards I bough some time ago (contact me if someone wants
one) allow you to specify the curve parameters (untested). So it seems
that you could use the Brainpool curves on these cards. At least their
PRNG seed is a "nothing up my sleeve numbers". But if you worry about
backdoors, I can imagine that the smartcards have probably have hidden
functionality to extract keys from them or contain other intentional
attack vectors or bugdoors in the hardware or operating system.


More information about the Gnupg-devel mailing list