ECDH using Curve25519

Werner Koch wk at
Tue Apr 15 16:14:54 CEST 2014

On Tue, 15 Apr 2014 14:46, gniibe at said:

> In this case (extending RFC 6637 with Curve25519), all we need is the
> OID of the Montgomery curve.

from Peter Gutmann's arc as posted to cryptography last year.

> Werner once suggested that using Ed25519 curve (as we already have
> it's routine in libgcrypt).  However, with the experience of writing

The reason is that we already have this implementation, only one
implementation would be needed, and it is not much slower than the
Montgomery form.  Thus for GNUnet we decided on using Ed25519 also for
ECDH.  However, there we don't need to comply with any existing

> an implementation (for Gnuk), I think that implementing Montgomery
> curve in libgcrypt would be straight-forward and better in long term.

Given that Libgcrypt is a collection of many algorithms we should have
Montgomery arithmetic for EC as well.  What new curves will eventually
be a SHOULD or MUST in OpenPGP is a different issue.  Given that you can
easily use RFC-6637, it makes sense to experiment with it.

> Shall I go ahead to experiment with libgcrypt (and then, GnuPG,
> hopefully) for Curve25519 function?

Please do that; at least it will be a good occassion to start a new
discussion on the OpenPGP WG.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list