Beyond Curve25519

Hanno Böck hanno at
Fri Jan 16 00:15:08 CET 2015

On Thu, 15 Jan 2015 17:10:19 -0500
Daniel Kahn Gillmor <dkg at> wrote:

> I'm not convinced by this argument.  It seems to assume that all
> possible non-quantum mathematical advances in elliptic curve
> cryptanalysis have already been published.

Well, it assumes at least that there will be no "really big unexpected
breakthroughs". To get from 128 bit to breakable requires attacks
achieving a security reduction of at least around 40-50 bits. That's a

> It's also possible that quantum machinery becomes feasible for solving
> problems of a certain size, but engineering constraints prohibit
> constructing a machine with enough qubits to solve larger problems for
> several more years.

That's an interesting line of reasoning, because if you follow it you'd
increase your key size as much as feasible. That means however stay
away from elliptic curves - and use rsa 4096 or more.

However I have discussed this with a couple of people. The usual
opinion in the post-quantum-discussion seems to be that this is not
going to happen. Once qc becomes scalable it'll scale up easily.

> In either scenario, having a larger curve with a higher security
> margin gives a buffer against these currently-unknown attacks.

If I really would want a security buffer against very unlikely future
attacks I'd rather combine different PK algs in a secure way.
I found the ring learning with errors talk on RWC interesting in that
regard that they try to combine ecdh with their new key exchange.

> And e-521 should still be far and away cheaper than rsa-2048 for
> secret key operations, which are used widely today, while having a
> *much* higher security margin.

As said above:
This is only true in the non-quantum-setting.

For gpg generally I'd assume performance really doesn't matter that

Hanno Böck

mail/jabber: hanno at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150116/457bdf27/attachment.sig>

More information about the Gnupg-devel mailing list