On 09/03/2010 01:55 PM, Simon Josefsson wrote:
Andrey Jivsov<openpgp(_at_)brainhub(_dot_)org> writes:
NIST is working on SP 800 131, in which RSA 2048 is the minimum
allowed algorithm, corresponding to 110 bit security. The document
suggests to disallow PKCS#1.5 padding after 2013. If we are going to
address this, it makes sense to do such a significant change together
along with ECC, as specified in
http://sites.google.com/site/brainhub/pgp.
Supporting PKCS#1 v2.0 padding sounds like a separate effort though. Is
anyone interested in that?
/Simon
It's separate, but here is how it is related to ECDH. Using PKCS#1 2.0
OAEP with default SHA-1 MGF means that the minimum padded field for AES
256 is 54 bytes.
According to http://tools.ietf.org/html/draft-jivsov-openpgp-ecc-05,
which is on the above link, it is possible to pack AES 256 key into 48
bytes using NIST preferred algorithm, which is AES WRAP. This 15%
overhead is per each recipient of the message. You get higher overhead
if MGF is not SHA-1 for compliance reasons.
RSA/DH keys don't have this "issue". The only question to resolve then
is that OAEP contains a hash function. It would be worthwhile to wait
for SHA3 selection.