Re: ECC in OpenPGP

Andrey Jivsov <openpgp@brainhub.org> Fri, 03 September 2010 22:07 UTC

Received: from hoffman.proper.com (localhost [127.0.0.1]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o83M7V16046069 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 3 Sep 2010 15:07:31 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by hoffman.proper.com (8.14.4/8.13.5/Submit) id o83M7Vn1046068; Fri, 3 Sep 2010 15:07:31 -0700 (MST) (envelope-from owner-ietf-openpgp@mail.imc.org)
X-Authentication-Warning: hoffman.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from mail.cyberonic.com (mail.cyberonic.com [4.17.179.4]) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id o83M7Upb046063 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for <ietf-openpgp@imc.org>; Fri, 3 Sep 2010 15:07:31 -0700 (MST) (envelope-from openpgp@brainhub.org)
Received: from brainhub.org (h-66-134-92-50.snvacaid.static.covad.net [66.134.92.50]) by mail.cyberonic.com (8.12.8/8.12.8) with ESMTP id o83Ls8C7011811; Fri, 3 Sep 2010 17:54:19 -0400
Received: from World by brainhub.org with ESMTP id o83M665V005949 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Fri, 3 Sep 2010 15:06:06 -0700
Message-ID: <4C8170E8.5000900@brainhub.org>
Date: Fri, 03 Sep 2010 15:04:24 -0700
From: Andrey Jivsov <openpgp@brainhub.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.8) Gecko/20100806 Fedora/3.1.2-1.fc13 Lightning/1.0b2pre Thunderbird/3.1.2
MIME-Version: 1.0
To: Simon Josefsson <simon@josefsson.org>
CC: OpenPGP Working Group <ietf-openpgp@imc.org>
Subject: Re: ECC in OpenPGP
References: <1282856536.11340.29.camel@fermat.scientia.net> <87pqx4mm0b.fsf@vigenere.g10code.de> <04ac7894a29b891da7cbde98adb287e5@imap.dd24.net> <83BF96BC-A771-4511-B431-9B9B1545E351@callas.org> <49ee22eb2e5747f077b3bc885f197083@imap.dd24.net> <87y6boj5e0.fsf@vigenere.g10code.de> <4C7C4939.8050009@iang.org> <B095E184-5B6A-4339-9AD7-86568C0E43CC@callas.org> <4C801651.80201@brainhub.org> <8762ym8s3g.fsf@mocca.josefsson.org>
In-Reply-To: <8762ym8s3g.fsf@mocca.josefsson.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>

  On 09/03/2010 01:55 PM, Simon Josefsson wrote:
> Andrey Jivsov<openpgp@brainhub.org>  writes:
>
>> NIST is working on SP 800 131, in which RSA 2048 is the minimum
>> allowed algorithm, corresponding to 110 bit security. The document
>> suggests to disallow PKCS#1.5 padding after 2013. If we are going to
>> address this, it makes sense to do such a significant change together
>> along with ECC, as specified in
>> http://sites.google.com/site/brainhub/pgp.
> Supporting PKCS#1 v2.0 padding sounds like a separate effort though.  Is
> anyone interested in that?
>
> /Simon

It's separate, but here is how it is related to ECDH. Using PKCS#1 2.0 
OAEP with default SHA-1 MGF means that the minimum padded field for AES 
256 is 54 bytes.

According to http://tools.ietf.org/html/draft-jivsov-openpgp-ecc-05, 
which is on the above link, it is possible to pack AES 256 key into 48 
bytes using NIST preferred algorithm, which is AES WRAP. This 15% 
overhead is per each recipient of the message. You get higher overhead 
if MGF is not SHA-1 for compliance reasons.

RSA/DH keys don't have this "issue". The only question to resolve then 
is that OAEP contains a hash function. It would be worthwhile to wait 
for SHA3 selection.