Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637.

Jon Callas <jon@callas.org> Fri, 18 October 2013 01:38 UTC

Return-Path: <jon@callas.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A098811E80E4 for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2013 18:38:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQX40OKEq8me for <openpgp@ietfa.amsl.com>; Thu, 17 Oct 2013 18:38:10 -0700 (PDT)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id B331711E8203 for <openpgp@ietf.org>; Thu, 17 Oct 2013 18:38:08 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id 9C56A4506D52; Thu, 17 Oct 2013 18:37:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JmM1dUZeS8oG; Thu, 17 Oct 2013 18:37:45 -0700 (PDT)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id DC6E94506D3E; Thu, 17 Oct 2013 18:37:45 -0700 (PDT)
Received: from [10.0.23.21] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Thu, 17 Oct 2013 18:37:45 -0700
X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 17 Oct 2013 18:37:45 -0700
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <CAAS2fgRG2AbZsz_4aF33Pd167M4-6=-73WAAgxTAjLMdoGNLeQ@mail.gmail.com>
Date: Thu, 17 Oct 2013 18:37:58 -0700
Message-Id: <CBE39208-C436-4145-A645-10380145F200@callas.org>
References: <CAAS2fgRG2AbZsz_4aF33Pd167M4-6=-73WAAgxTAjLMdoGNLeQ@mail.gmail.com>
To: Gregory Maxwell <gmaxwell@gmail.com>
X-Mailer: Apple Mail (2.1510)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Cc: openpgp@ietf.org, Jon Callas <jon@callas.org>
Subject: Re: [openpgp] Curve3617 in OpenPGP? Beyond rfc6637.
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2013 01:38:23 -0000

On Oct 17, 2013, at 2:09 PM, Gregory Maxwell <gmaxwell@gmail.com> wrote:

> With the recent concerns about the integrity of the NIST specified ECC
> curves many protocols are looking to non-NIST alternatives for their
> EC crypto needs.
> 
> Is anyone considering using Curve3617 in OpenPGP? The case for the
> design approach is made at http://safecurves.cr.yp.to/ and is
> generally pretty compelling.

Andrey would know best, but my reading of RFC 6637 leads me to think that all you need is an OID for the curve and you're golden.

We're going to be using Curve3617 for Silent Circle as a replacement for P-384.

> 
> [Arguably for OpenPGP use it would be nice to see a ~1024 bit curve
> produced with the same engineering methodology: for most uses of
> OpenPGP performance is not a major limitation (1024 bit ECC could be
> adequately fast on an embedded device) nor are 128 bytes more of
> signature data, but long term security is... Index calculus results in
> security that scales similar to integer factoring, so there is an
> argument that even unknown breakthroughs that render common ECC
> insecure would simply be reducing it to RSA like security.]

Why ever would you want a 1Kbit curve? Sure, arguably, but please make the argument. As it is, Curve3617 is more than one really needs. I'm genuinely interested.

	Jon