[openpgp] Curve3617 in OpenPGP? Beyond rfc6637.

Gregory Maxwell <gmaxwell@gmail.com> Thu, 17 October 2013 21:09 UTC

Return-Path: <gmaxwell@gmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A773A11E8152 for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2013 14:09:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B4EyE3zBSmES for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2013 14:09:11 -0700 (PDT)
Received: from mail-la0-x233.google.com (mail-la0-x233.google.com [IPv6:2a00:1450:4010:c03::233]) by ietfa.amsl.com (Postfix) with ESMTP id 54E0621F9B66 for <openpgp@ietf.org>; Thu, 17 Oct 2013 14:09:07 -0700 (PDT)
Received: by mail-la0-f51.google.com with SMTP id hp15so2367819lab.38 for <openpgp@ietf.org>; Thu, 17 Oct 2013 14:09:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=YGXJF4EJJzRv9IRBv6kyLwqCq66CSDYlsN5WCz6CHVY=; b=xqRvw++msArGh9cZh/8noJ6q95dJvyS+r9cBurctPQTiwjX2JiByfw/mYnAUDhHO4S bHI6GI0FOTxMJtcMz2KsX0Xlsnmeodd+sJgdrZZzqQRkPTKOLSbPfdaop8Au36GjzZjQ jF/yEFklJ3XY3j2cbzU+MXQi7c6ydKYubdGwM1yuoWbKLhWVEeworMbNhPH6Ll4N+05l 82lwJsSRQHk4/lQ+yaGaTERQbZ6Nx1hBfOciHKGZfMXcndqMeGPH1dGnbLaioL0Le670 rFCtUgm1My/fhzyjN62dSSZGmgqFPy6XP0VMeTvTJV46F05vWIX6vINghMb9N/0Dr7tQ 4Amw==
MIME-Version: 1.0
X-Received: by 10.112.57.49 with SMTP id f17mr24747lbq.26.1382044146629; Thu, 17 Oct 2013 14:09:06 -0700 (PDT)
Received: by 10.112.89.72 with HTTP; Thu, 17 Oct 2013 14:09:06 -0700 (PDT)
Date: Thu, 17 Oct 2013 14:09:06 -0700
Message-ID: <CAAS2fgRG2AbZsz_4aF33Pd167M4-6=-73WAAgxTAjLMdoGNLeQ@mail.gmail.com>
From: Gregory Maxwell <gmaxwell@gmail.com>
To: openpgp@ietf.org
Content-Type: text/plain; charset=UTF-8
Subject: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637.
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2013 21:09:12 -0000

With the recent concerns about the integrity of the NIST specified ECC
curves many protocols are looking to non-NIST alternatives for their
EC crypto needs.

Is anyone considering using Curve3617 in OpenPGP? The case for the
design approach is made at http://safecurves.cr.yp.to/ and is
generally pretty compelling.

[Arguably for OpenPGP use it would be nice to see a ~1024 bit curve
produced with the same engineering methodology: for most uses of
OpenPGP performance is not a major limitation (1024 bit ECC could be
adequately fast on an embedded device) nor are 128 bytes more of
signature data, but long term security is... Index calculus results in
security that scales similar to integer factoring, so there is an
argument that even unknown breakthroughs that render common ECC
insecure would simply be reducing it to RSA like security.]

Along those lines, has there been any proposal for supporting a merkle
signature scheme for long term master identity keys?  For a master
identity key that delegates signing a finite (but potentially large)
amount of reuse is not problematic at all. Relatively large signatures
are not problematic in many applications, and these signatures would
have nicely orthogonal security to discrete log based cryptosystems
and are strong against quantum computers.  (And regardless how much of
a threat you personally consider quantum computers on the time scales
you consider relevant, FUD related to them "oh but the XYZ has QC's
see this dwave hype, no reason to use crypto at all" is harmful to the
public.)