Choice of ECC curve on usb token

[Phil Pennock]

On 2018-06-29 at 18:07 +0200, Damien Cassou wrote:
> NIIBE Yutaka <gniibe at fsij.org> writes:
> > Why not Curve25519, if you use ECC?
> 
> I'm not sure I want ECC after reading this:
> https://crypto.stackexchange.com/a/60394/60027

Curve25519 is not NIST ECC.  It is ECC.

"ECC" = "Elliptic Curve Cryptography", it covers an entire class of "how
public/private pairs are related and calculated".

There are various different algorithms within ECC.  Some of those are
published by NIST, with input from various agencies, and there is
reasonable concern as to the provenance of the specifications, as that
page notes.

The IETF, amongst other groups, has been moving towards Curve25519 for
public key cryptography because it is ECC and it's not NIST.  It
currently looks, with a wet finger in the air and an array of chicken
entrails before us, from every known species of chicken, as though
Curve25519 is likely to be good for a while to come; up until the much
heralded practical quantum computers one day arrive and possibly change
everything.

So for new deployments today, where interoperability with ancient
OpenPGP implementations (such as GnuPG v1) is not a concern, you're
probably looking at Curve25519 and, if eager, keeping half an eye on the
news about post-quantum cryptography for the next step after that.

If you need more specific guidance than that, pay a professional
cryptographer to analyse your requirements and make a recommendation.

-Phil