[openpgp] ECDH with Curve25519 (was: Catch 22 in ECC support of OpenPGP?)
NIIBE Yutaka <gniibe@fsij.org> Thu, 06 February 2014 06:52 UTC
Return-Path: <gniibe@fsij.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E05FC1A0380 for <openpgp@ietfa.amsl.com>; Wed, 5 Feb 2014 22:52:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.435
X-Spam-Level:
X-Spam-Status: No, score=-2.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cwJwnQE96y5j for <openpgp@ietfa.amsl.com>; Wed, 5 Feb 2014 22:52:57 -0800 (PST)
Received: from atom.fsij.org (atom.fsij.org [211.14.6.125]) by ietfa.amsl.com (Postfix) with ESMTP id E77261A037F for <openpgp@ietf.org>; Wed, 5 Feb 2014 22:52:56 -0800 (PST)
Received: from 241.137.55.36.ap.dti.ne.jp ([36.55.137.241] helo=[192.168.2.105]) by atom.fsij.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <gniibe@fsij.org>) id 1WBIpL-00022v-5m; Thu, 06 Feb 2014 15:52:48 +0900
Message-ID: <1391669565.1566.5.camel@cfw2.gniibe.org>
From: NIIBE Yutaka <gniibe@fsij.org>
To: Werner Koch <wk@gnupg.org>
Date: Thu, 06 Feb 2014 15:52:45 +0900
In-Reply-To: <87mwicy20d.fsf@vigenere.g10code.de>
References: <1391140017.2806.7.camel@cfw2.gniibe.org> <52EB3FEE.9070205@brainhub.org> <1391154601.2806.10.camel@cfw2.gniibe.org> <87mwicy20d.fsf@vigenere.g10code.de>
Organization: Free Software Initiative of Japan
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.8.5-2+b1
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 36.55.137.241
X-SA-Exim-Mail-From: gniibe@fsij.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on atom.fsij.org)
Cc: Andrey Jivsov <openpgp@brainhub.org>, openpgp@ietf.org
Subject: [openpgp] ECDH with Curve25519 (was: Catch 22 in ECC support of OpenPGP?)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 06:53:00 -0000
Hello, [ It was me to start this discussion at the gnupg-devel list. As it's better to continue here, I redirect my reply. ] On 2014-01-31 at 09:44 +0100, Werner Koch wrote: > On Fri, 31 Jan 2014 08:50, gniibe@fsij.org said: > > > When Curve25519 will be supported in GnuPG, I think that it's only for > > ECDH (since people use EdDSA with Ed25519, instead of ECDSA with > > I think it makes more sense to use an Ed25519 based ECDH in OpenPGP than > to require the implementation of its Montgomery variant Curve25519. > This would benefit small OpenPGP implementation which won't do the > current MUST algorithms but anyway provide compatibility with general > purpose OpenPGP tools. There might be a small performance drawback but > can be justified by a more compact implementation. The current ECDH > algo ID can still be used for this if we go without point compression. ECDH with Ed25519 would be better for some implementations. For a specification, I think that it is straightforward to define ECDH with Curve25519 (where curve point is represented by Montgomery curve). By the way, I realized that Curve25519 has cofactor 8. It seems for me that many other curves these days have cofactor > 1. RFC 6637 assumes that cofactor is 1. Here is another place to consider. --
- [openpgp] ECDH with Curve25519 (was: Catch 22 in … NIIBE Yutaka