Re: ECC in OpenPGP
Jon Callas <jon@callas.org> Tue, 31 August 2010 00:45 UTC
Received: from hoffman.proper.com (localhost [127.0.0.1]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o7V0j20x017773 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 30 Aug 2010 17:45:02 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by hoffman.proper.com (8.14.4/8.13.5/Submit) id o7V0j2NM017772; Mon, 30 Aug 2010 17:45:02 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: hoffman.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from merrymeet.com (merrymeet.com [66.93.68.160]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o7V0j1XM017767 for <ietf-openpgp@imc.org>; Mon, 30 Aug 2010 17:45:01 -0700 (MST) (envelope-from jon@callas.org)
Received: from localhost (localhost [127.0.0.1]) by merrymeet.com (Postfix) with ESMTP id 9BF812E074 for <ietf-openpgp@imc.org>; Mon, 30 Aug 2010 17:45:17 -0700 (PDT)
Received: from merrymeet.com ([127.0.0.1]) by localhost (host.domain.tld [127.0.0.1]) (amavisd-maia, port 10024) with ESMTP id 89076-05 for <ietf-openpgp@imc.org>; Mon, 30 Aug 2010 17:45:11 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [66.93.68.161]) (Authenticated sender: jon) by merrymeet.com (Postfix) with ESMTPA id D7A9A2E05D for <ietf-openpgp@imc.org>; Mon, 30 Aug 2010 17:45:11 -0700 (PDT)
Received: from il0102a-dhcp109.apple.com ([17.201.27.237]) by keys.merrymeet.com (PGP Universal service); Mon, 30 Aug 2010 17:38:39 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Mon, 30 Aug 2010 17:38:39 -0700
Mime-Version: 1.0 (Apple Message framework v1081)
Subject: Re: ECC in OpenPGP
From: Jon Callas <jon@callas.org>
In-Reply-To: <4C7C4939.8050009@iang.org>
Date: Mon, 30 Aug 2010 17:44:53 -0700
Message-Id: <B095E184-5B6A-4339-9AD7-86568C0E43CC@callas.org>
References: <1282856536.11340.29.camel@fermat.scientia.net> <87pqx4mm0b.fsf@vigenere.g10code.de> <04ac7894a29b891da7cbde98adb287e5@imap.dd24.net> <83BF96BC-A771-4511-B431-9B9B1545E351@callas.org> <49ee22eb2e5747f077b3bc885f197083@imap.dd24.net> <87y6boj5e0.fsf@vigenere.g10code.de> <4C7C4939.8050009@iang.org>
To: OpenPGP Working Group <ietf-openpgp@imc.org>
X-Mailer: Apple Mail (2.1081)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
X-Virus-Scanned: Maia Mailguard
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hoffman.proper.com id o7V0j2XM017768
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Is it really worth switching horses across to ECC from RSA? The NSA seems to think so... > > Let me put it this way, as a hypothetical: if OpenPGP next-gen had to choose between RSA and ECC, only implement one of them, which would we choose? That's the wrong question, really. There's one and only one reason to seriously consider ECC, and that is that you want public keys with security greater than 128 bits, and you don't want unwieldy key sizes. NIST says that a 3Kbit integer public key has the same security as 128-bit symmetric keys, and that to get to 256 bits, you need a 15Kbit integer key. Argue with NIST's assessment this if you like -- heck, I *like* the argument, myself -- but the point is that if you want crypto-balance with AES-256, then RSA is unwieldy. No argument there. If you're happy with 128-bit security, then you don't need ECC. RSA is just fine. If you want 256-bit security, then you have a quandary. You either need to go beyond 4096-bit RSA keys, or go to ECC. It's that simple. One could argue that there is no need to do this before say 2020 or 2025, thus mooting the whole Certicom/RIM patent issue. There is merit to this way of dealing with it. However, if one wants one's protocol to be used with Suite B or things that are effectively Suite B, then one needs ECC before then. Andrey Jivsov has circulated a draft for ECC in OpenPGP that was intentionally built to both satisfy Suite B and to avoid the whole patent thing, only using freely-usable technology. He probably needs to push that along some more. :-) Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 2.10.0 (Build 554) Charset: us-ascii wj8DBQFMfE8PsTedWZOD3gYRAgcsAKD+mWuqGtIaClxngXzdgPl8+x4flwCbBZdl pefyVwOE4C49i3Js2a6zJ34= =IZ9M -----END PGP SIGNATURE-----
- Re: ECC in OpenPGP Hironobu SUZUKI
- Re: ECC in OpenPGP Peter Gutmann
- Re: ECC in OpenPGP Hironobu SUZUKI
- Re: ECC in OpenPGP Jon Callas
- ECC in OpenPGP Ian G
- Re: SERPENT in OpenPGP? Christoph Anton Mitterer
- Re: SERPENT in OpenPGP? Werner Koch
- Re: SERPENT in OpenPGP? Jon Callas
- Re: SERPENT in OpenPGP? Christoph Anton Mitterer
- Re: SERPENT in OpenPGP? Christoph Anton Mitterer
- Re: SERPENT in OpenPGP? Jon Callas
- Re: SERPENT in OpenPGP? Jon Callas
- Re: SERPENT in OpenPGP? Robert J. Hansen
- Re: SERPENT in OpenPGP? Werner Koch
- Re: SERPENT in OpenPGP? Christoph Anton Mitterer
- Re: SERPENT in OpenPGP? Christoph Anton Mitterer
- Re: SERPENT in OpenPGP? Christoph Anton Mitterer
- Re: SERPENT in OpenPGP? Werner Koch
- Re: SERPENT in OpenPGP? Ian G
- Re: SERPENT in OpenPGP? David Shaw
- Re: SERPENT in OpenPGP? Christoph Anton Mitterer
- Re: SERPENT in OpenPGP? Jon Callas
- SERPENT in OpenPGP? Christoph Anton Mitterer
- Re: ECC in OpenPGP Peter Gutmann
- Re: ECC in OpenPGP Andrey Jivsov
- Re: ECC in OpenPGP Simon Josefsson
- Re: ECC in OpenPGP Andrey Jivsov