[openpgp] ECDH with Curve25519 (was: Catch 22 in ECC support of OpenPGP?)

NIIBE Yutaka <gniibe@fsij.org> Thu, 06 February 2014 06:52 UTC

Return-Path: <gniibe@fsij.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id E05FC1A0380 for <openpgp@ietfa.amsl.com>; Wed, 5 Feb 2014 22:52:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.435
X-Spam-Status: No, score=-2.435 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id cwJwnQE96y5j for <openpgp@ietfa.amsl.com>; Wed, 5 Feb 2014 22:52:57 -0800 (PST)
Received: from atom.fsij.org (atom.fsij.org []) by ietfa.amsl.com (Postfix) with ESMTP id E77261A037F for <openpgp@ietf.org>; Wed, 5 Feb 2014 22:52:56 -0800 (PST)
Received: from ([] helo=[]) by atom.fsij.org with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <gniibe@fsij.org>) id 1WBIpL-00022v-5m; Thu, 06 Feb 2014 15:52:48 +0900
Message-ID: <1391669565.1566.5.camel@cfw2.gniibe.org>
From: NIIBE Yutaka <gniibe@fsij.org>
To: Werner Koch <wk@gnupg.org>
Date: Thu, 06 Feb 2014 15:52:45 +0900
In-Reply-To: <87mwicy20d.fsf@vigenere.g10code.de>
References: <1391140017.2806.7.camel@cfw2.gniibe.org> <52EB3FEE.9070205@brainhub.org> <1391154601.2806.10.camel@cfw2.gniibe.org> <87mwicy20d.fsf@vigenere.g10code.de>
Organization: Free Software Initiative of Japan
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.8.5-2+b1
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-SA-Exim-Mail-From: gniibe@fsij.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on atom.fsij.org)
Cc: Andrey Jivsov <openpgp@brainhub.org>, openpgp@ietf.org
Subject: [openpgp] ECDH with Curve25519 (was: Catch 22 in ECC support of OpenPGP?)
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Feb 2014 06:53:00 -0000


[ It was me to start this discussion at the gnupg-devel list.
  As it's better to continue here, I redirect my reply.  ]

On 2014-01-31 at 09:44 +0100, Werner Koch wrote:
> On Fri, 31 Jan 2014 08:50, gniibe@fsij.org said:
> > When Curve25519 will be supported in GnuPG, I think that it's only for
> > ECDH (since people use EdDSA with Ed25519, instead of ECDSA with
> I think it makes more sense to use an Ed25519 based ECDH in OpenPGP than
> to require the implementation of its Montgomery variant Curve25519.
> This would benefit small OpenPGP implementation which won't do the
> current MUST algorithms but anyway provide compatibility with general
> purpose OpenPGP tools.  There might be a small performance drawback but
> can be justified by a more compact implementation.  The current ECDH
> algo ID can still be used for this if we go without point compression.

ECDH with Ed25519 would be better for some implementations.  For a
specification, I think that it is straightforward to define ECDH with
Curve25519 (where curve point is represented by Montgomery curve).

By the way, I realized that Curve25519 has cofactor 8.  It seems for
me that many other curves these days have cofactor > 1.

RFC 6637 assumes that cofactor is 1.  Here is another place to