Comparison of RSA vs elliptical keys

Sylvain Besençon sylvain.besencon at unifr.ch
Wed May 13 10:02:14 CEST 2020


Le 12.05.20 à 19:27, Grzegorz Kulewski a écrit :
> Disclaimer: I am not a cryptographer either, let's just say I am an advisor. So, anybody, please correct me, if needed.
> 
> 1. In terms of key size Curve 25519 and P-256 should have same strength: ~128 bits (== comparing with good symmetric cipher, like AES). Generally decent ECC strength = ~0.5 * key_length_in_bits.
> 2. Curve 25519 is very easy to implement in such a way that the implementation is fast. Implementations of other curves are usually slower.
> 3. Curve 25519 is generally easier to implement and easier to implement in such a way that avoids many common security pitfalls, like vulnerability to timing attacks.
> 4. The design of Curve 25519 is public, (is believed to be) software patent free and all constants in it are derived in an easily explainable ways. There are no "magic numbers" out of nowhere that may be just random or maybe were chosen by designers to make some kind of backdoor - but you can never prove that they are innocent since obviously you can't prove that random number was indeed chosen truly randomly.
> 5. Curve 25519 was designed by DJB, an (mostly) independent security expert while others were designed/standardized by big organizations that (given indirect evidence and rumors) may not be that trustworthy.
> 6. This is why many new (and not only, see SSH) protocols tend to choose Curve 25519. But in PGP you should be careful because many implementations (and/or older versions) don't support it. So if you want portability/interoperability you may want some other curve or RSA, especially for the main and signing key.
> 7. If you want something stronger than Curve 25519 that (is believed to) share similar benefits try Curve 448 (~224 bits of security). But I am not sure if PGP implements it (yet?).
> 

Hello,

Thank you all for your quick answers, it is very useful!

RJH's answer sounds like a good piece of advice, but still, at the end, 
we HAVE to to choose which algorithm to use when creating new key pairs. 
This doesn't prevent me to (try to) be cautious about the general health 
of my system.
Grzegorz's points convince me to give a try to Curve 25519. I have 
another though:
> But in PGP you should be careful because many implementations (and/or older versions) don't support it. So if you want portability/interoperability you may want some other curve or RSA, especially for the main and signing key.

I am not sure to fully grasp the consequences of this... Does that mean 
that, if I use Curve 25519, some people won't be able to use my public 
key to encrypt stuff? Or does that mean that some people won't be able 
to read or verify stuff that I encrypt and signs?
Would it be because they use older versions or because some software 
programs don't implement Curve 25519?

I guess that Curve 25519 is mentioned in the IETF standard, isn't it?

Many thanks,
Best,

Sylvain



More information about the Gnupg-users mailing list