ECDH using Curve25519
Werner Koch
wk at gnupg.org
Tue Apr 15 16:14:54 CEST 2014
On Tue, 15 Apr 2014 14:46, gniibe at fsij.org said:
> In this case (extending RFC 6637 with Curve25519), all we need is the
> OID of the Montgomery curve.
1.3.6.1.4.1.3029.1.5.1
from Peter Gutmann's arc as posted to cryptography last year.
> Werner once suggested that using Ed25519 curve (as we already have
> it's routine in libgcrypt). However, with the experience of writing
The reason is that we already have this implementation, only one
implementation would be needed, and it is not much slower than the
Montgomery form. Thus for GNUnet we decided on using Ed25519 also for
ECDH. However, there we don't need to comply with any existing
standards.
> an implementation (for Gnuk), I think that implementing Montgomery
> curve in libgcrypt would be straight-forward and better in long term.
Given that Libgcrypt is a collection of many algorithms we should have
Montgomery arithmetic for EC as well. What new curves will eventually
be a SHOULD or MUST in OpenPGP is a different issue. Given that you can
easily use RFC-6637, it makes sense to experiment with it.
> Shall I go ahead to experiment with libgcrypt (and then, GnuPG,
> hopefully) for Curve25519 function?
Please do that; at least it will be a good occassion to start a new
discussion on the OpenPGP WG.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-devel
mailing list