ECC curves used in gnupg?

Werner Koch wk at
Wed Dec 18 11:24:43 CET 2013

On Tue, 17 Dec 2013 20:01, anthony at said:
> I know that gnupg is experimenting with ECC and I'm wondering which
> curves the team has decided to use. I know there are some curves that
> are now suspected of being tainted by the NSA through NIST. Has the
> gnupg team ruled using those curves out?

We will support the curves specified in RFC-6637.  These are the NIST
curves P-256, P-384, and P-521.  I recently added support for Brainpool
P256r1, P384r1, and P512r1 to make some some European governments happy.

I the wake of recent events and due to the fear of many people that the
NIST curves might have some secret properties, I added support for
Bernstein et al's Ed25519 signature scheme.  The problem here is that it
is not really covered by RFC-6637 because it does not use the ECDSA
signature scheme but a Schnorr like scheme named EdDSA.  Thus for a
proper implementation we need to assign a new algorithm number to it
which in turn means to write another RFC.

I recently met with Phil Zimmermann and we talked about the OpenPGP
future.  It is pretty clear that we need to replace the current
algorithms with elliptic curves to get a better security margin for the
future.  Alhough there are no technical reasons not to use existing
standard curves, we better take the users unhappiness with NIS curves in
account and move on to curves like Ed25519 which are easier to use and
are an outcome of public research.  Bernstein and Lange are currently
working on a 384 bit curve and it is very likely that this one will also
be added to GnuPG.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list