2.1 beta or release

David Leon Gil coruus at gmail.com
Sat Oct 25 15:39:41 CEST 2014


On Sat, Oct 25, 2014 at 6:21 AM, Werner Koch <wk at gnupg.org> wrote:
> On Fri, 24 Oct 2014 21:52, kristian.fiskerstrand at sumptuouscapital.com
> said:
>
>> Any ETA for IANA assignment of algoid for the Ed25519 / EdDSA I-D? If
>
> No.  I have an advise that I need to forward my request to the Security
> Area Advisory Group for discussion for comments.  If there are no
> problems and the CFRG has finished its curve selection job one of the
> area directors is willing to sponsor the draft.  Unfortunately we do not
> have a WG for OpenPGP anymore and thus everything has to pass the
> individual submission process.  The IETF has no plans to reestablish the
> OpenPGP WG.

I think there will be difficulties with the Ed25519 draft.

The problem is that signing hashes with Ed25519 is not as secure as
signing *messages* with Ed25519. As it stands, at present, there is
nothing to prevent (for example) a signature on a RIPEMD-160 hash from
verifying as a signature on a colliding SHA-1 hash, or vice versa, as
I understand the code/proposal.

One of my previous comments on the draft was incorrect: I stated that
the security proof requires 512-bit (or longer) output. I've reviewed
the relevant paper; I believe that 256-bit output satisfies its
conditions. (So SHA-256 would be fine for Curve25519.)

I would like to avoid seeing the Ed25519 part too widely deployed
before this is fixed.

> I have some fear the curve discussion process of the CFRG has been
> filibustered by parties which are not necessary friends of privacy.
> Thus I do not want to wait for them any longer.  We have the informal
> OpenPGP (non-)WG list agreement that 22 shall be used for EdDSA.  Thus
> signing is all fine.

Yes. The CFRG process is...unpleasant. But it looks like (as one could
have predicted) Curve25519 will be selected, as well as an Edwards
curve mod 2^521-1.[1]

If anyone is interested in a non-NSA higher-security-strength curve
than Curve25519 at the moment, Bos et al. found a new "rigid"[2]]
Weierstrass curve modulo 2^521-1.

(It just requires adding new curve parameters, and fits without
modification into RFC 6637's ECDH and ECDSA specs.)

[1] The difficulty in proceeding with implementing the Edwards curve
is that there are several different ways you can take the twisted
Edwards proposal and map it to an Edwards curve.

[2]  It is the curve over Fq(2^521-1) with the smallest in absolute
value short-Weierstrass "b" that satisfies djb's SafeCurves
conditions. (b=167884)

(secp521's quadratic twist has cofactors 5, 7, 69697531, and
635884237. w-521-mers has cofactor 1 on both the curve and its twist.)

Page 5 of http://eprint.iacr.org/2014/130 has the details. (It's not
in the NUMS I-D.)



More information about the Gnupg-devel mailing list