Mailing List Archive

ECC curves used in gnupg?
I know that gnupg is experimenting with ECC and I'm wondering which
curves the team has decided to use. I know there are some curves that
are now suspected of being tainted by the NSA through NIST. Has the
gnupg team ruled using those curves out?

Anthony

--
Anthony Papillion
XMPP/Jabber: cajuntechie@jit.si
SIP: 17772471988@callcentric.com
iNum: +883-5100-01190960
PGP Key: 0xDC89FF2E


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ECC curves used in gnupg? [ In reply to ]
On Tue, 2013-12-17 at 13:01 -0600, Anthony Papillion wrote:
> I know that gnupg is experimenting with ECC and I'm wondering which
> curves the team has decided to use. I know there are some curves that
> are now suspected of being tainted by the NSA through NIST. Has the
> gnupg team ruled using those curves out?

Wouldn't it be nice to include ecc curves up to 1024 bit(ecc brainpool
gives you 512 bit at most, maryland 521).
I calculated the parameters last year(no ties to maryland) and they are
free for noncommercial use ;-)

They can be found here:
http://www.fh-wedel.de/~an/crypto/accessories/domains_anders.html

In the ECC software "Academic Signature" -which contains a minimalistic
GnuPG GUI by the way- you can check their sanity, including the MOV
condition.

There has been a thread on insecure GnuPG defaults lately. (SHA1
hmmmm....) Please keep in mind that (to my knowledge) maryland does
allow the export of ecc software up to 256 bit if in the "interest of
national security". So why not exclude bit sizes smaller than 256 from
the very beginning.


regards
Michael


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: ECC curves used in gnupg? [ In reply to ]
On Tue, 17 Dec 2013 20:01, anthony@cajuntechie.org said:
> I know that gnupg is experimenting with ECC and I'm wondering which
> curves the team has decided to use. I know there are some curves that
> are now suspected of being tainted by the NSA through NIST. Has the
> gnupg team ruled using those curves out?

We will support the curves specified in RFC-6637. These are the NIST
curves P-256, P-384, and P-521. I recently added support for Brainpool
P256r1, P384r1, and P512r1 to make some some European governments happy.

I the wake of recent events and due to the fear of many people that the
NIST curves might have some secret properties, I added support for
Bernstein et al's Ed25519 signature scheme. The problem here is that it
is not really covered by RFC-6637 because it does not use the ECDSA
signature scheme but a Schnorr like scheme named EdDSA. Thus for a
proper implementation we need to assign a new algorithm number to it
which in turn means to write another RFC.

I recently met with Phil Zimmermann and we talked about the OpenPGP
future. It is pretty clear that we need to replace the current
algorithms with elliptic curves to get a better security margin for the
future. Alhough there are no technical reasons not to use existing
standard curves, we better take the users unhappiness with NIS curves in
account and move on to curves like Ed25519 which are easier to use and
are an outcome of public research. Bernstein and Lange are currently
working on a 384 bit curve and it is very likely that this one will also
be added to GnuPG.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users