Comparison of RSA vs elliptical keys

Werner Koch wk at
Thu May 14 21:43:14 CEST 2020

On Wed, 13 May 2020 10:54, Damien Goutte-Gattat said:

> Not yet. Officially, only the NIST P-256, P-384, and P-521 curves are
> part of the standard (since RFC 6637). The first mention of Curve

RFC-6637 allows for arbitrary curves because curves are specified using
an ASN.1 OID.  So for example the Brainpool curves can as well be used.

The problem is similar to using RSA (which was optional in the old
OpenPGP specs) or to use large RSA keys or even RSA keys which odd
lengths on which some implementations choke.  For a public key algorithm
we unfortunately can't use the preference system.  The worst thing which
can happen to a user is that they can't verify a signature or encrypt to
a key.  But there are no backward compatibility issues related to data

> 25519 for OpenPGP was in a draft by Werner in 2014 [2]. The draft
> never made it to a RFC but the 25519 curve is now part of the draft

For Ed25519 we actually added a new algorithm id so that it is indeed
not covered by RFC-6637.  Anyway, the two Curve22519 algorithms (ed25519
for signing, and cv25519 for encryption) are available in GnuPG as
"future-default".  Given that older GnuPG versions reached end-of-life
2.5 years ago I consider it okay to change the default and create new
keys using ed25519/cv25519.  GnuPG master, which will eventually be 2.3,
uses them as default.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list