ECC and smartcards

Werner Koch wk at
Tue Oct 15 13:16:45 CEST 2013

On Tue,  1 Oct 2013 20:56, openpgp at said:

> IMO any other curve as a standard curve for digital signastures will
> split already thin ecosystem of ECC to the degree that it's
> insignificant. Users will continue to use RSA/DSA keys as a result.

I don't know of any released OpenPGP implementation with support for
ECC.  Well, there is a GnuPG beta and some people are already using it.
However, before ECC support can actually be declared stable we need to
get a real release out.  Even then, the generation of ECC keys will only
be available in --expert mode for, say, a year before it can be declared
mainstream.  We need this delay so that a large installation base of ECC
enabled GnuPGs is available.

> SuiteB curves are basically Neil Koblitz, a no-NSA-friend, curves with
> parameters a,b following standard rules, but which method of choice is
> unpublished.

Right - this raises a lot of suspicion and did that for many years.  In
Europe the Brainpool curves are strongly preferred over the NIST curves.
Maybe because they have been developed without hiding the way they have
been generated - maybe out of other reasons.  We don't know.  Thus I
consider it better to step aside the issue and use what is currently
considered the best choice.

> 1) NSA knows about a (fundamental?) flaw in ECC
> 2) NSA is convinced that nobody will discover it, so that the US
> government data protection at TOP SECRET level is not at risk
> 3) the alternatives (i.e. Edwards curves) don't have this flaw and
> don't have other flaws related to special structure of the new curves
> 4) SHA2 algorithm is secure

This has all been discussed elsewhere and despite that nobody has an
idea on how the NSA may have subverted the curves, it is better to avoid
them if technically possible.  We are lucky enough that there are no
deployed OpenPG ECC keys and thus there is still time for a change.

> 5) you are worrying about NSA forging OpenPGP signatures (as opposed
> to breaking encryption)

Signatures are often more important than encryption.  All the OpenPGP
security relies on digital signatures.  This it is good target for an
active attack.

> Also, many people are thinking that entire ECC is flawed, so +
> 6) RSA, DSA is stronger.

Some people are righly thinking that all software is flawed.

> far from universal adoption. It's hard to see Edwards curves (or any
> other ECC curve) having much success (unless you have a closed system
> and don't care about anybody else, or an online protocol).

Two weeks ago I had the opportunity to chat with PRZ about this topic.
He agrees that ECC will be the future and that we should use the
Bernstein curves for PGP.  For Silent Circle they can't use 25519
because the security margin is less than of the currently used P-384.
Thus they are waiting for DJB to finish the development a 400+ bit



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list