2.1 beta or release
David Leon Gil
coruus at gmail.com
Sat Oct 25 15:39:41 CEST 2014
On Sat, Oct 25, 2014 at 6:21 AM, Werner Koch <wk at gnupg.org> wrote:
> On Fri, 24 Oct 2014 21:52, kristian.fiskerstrand at sumptuouscapital.com
>> Any ETA for IANA assignment of algoid for the Ed25519 / EdDSA I-D? If
> No. I have an advise that I need to forward my request to the Security
> Area Advisory Group for discussion for comments. If there are no
> problems and the CFRG has finished its curve selection job one of the
> area directors is willing to sponsor the draft. Unfortunately we do not
> have a WG for OpenPGP anymore and thus everything has to pass the
> individual submission process. The IETF has no plans to reestablish the
> OpenPGP WG.
I think there will be difficulties with the Ed25519 draft.
The problem is that signing hashes with Ed25519 is not as secure as
signing *messages* with Ed25519. As it stands, at present, there is
nothing to prevent (for example) a signature on a RIPEMD-160 hash from
verifying as a signature on a colliding SHA-1 hash, or vice versa, as
I understand the code/proposal.
One of my previous comments on the draft was incorrect: I stated that
the security proof requires 512-bit (or longer) output. I've reviewed
the relevant paper; I believe that 256-bit output satisfies its
conditions. (So SHA-256 would be fine for Curve25519.)
I would like to avoid seeing the Ed25519 part too widely deployed
before this is fixed.
> I have some fear the curve discussion process of the CFRG has been
> filibustered by parties which are not necessary friends of privacy.
> Thus I do not want to wait for them any longer. We have the informal
> OpenPGP (non-)WG list agreement that 22 shall be used for EdDSA. Thus
> signing is all fine.
Yes. The CFRG process is...unpleasant. But it looks like (as one could
have predicted) Curve25519 will be selected, as well as an Edwards
curve mod 2^521-1.
If anyone is interested in a non-NSA higher-security-strength curve
than Curve25519 at the moment, Bos et al. found a new "rigid"]
Weierstrass curve modulo 2^521-1.
(It just requires adding new curve parameters, and fits without
modification into RFC 6637's ECDH and ECDSA specs.)
 The difficulty in proceeding with implementing the Edwards curve
is that there are several different ways you can take the twisted
Edwards proposal and map it to an Edwards curve.
 It is the curve over Fq(2^521-1) with the smallest in absolute
value short-Weierstrass "b" that satisfies djb's SafeCurves
(secp521's quadratic twist has cofactors 5, 7, 69697531, and
635884237. w-521-mers has cofactor 1 on both the curve and its twist.)
Page 5 of http://eprint.iacr.org/2014/130 has the details. (It's not
in the NUMS I-D.)
More information about the Gnupg-devel