With the recent concerns about the integrity of the NIST specified ECC
curves many protocols are looking to non-NIST alternatives for their
EC crypto needs.
Is anyone considering using Curve3617 in OpenPGP? The case for the
design approach is made at http://safecurves.cr.yp.to/ and is
generally pretty compelling.
[Arguably for OpenPGP use it would be nice to see a ~1024 bit curve
produced with the same engineering methodology: for most uses of
OpenPGP performance is not a major limitation (1024 bit ECC could be
adequately fast on an embedded device) nor are 128 bytes more of
signature data, but long term security is... Index calculus results in
security that scales similar to integer factoring, so there is an
argument that even unknown breakthroughs that render common ECC
insecure would simply be reducing it to RSA like security.]
Along those lines, has there been any proposal for supporting a merkle
signature scheme for long term master identity keys? For a master
identity key that delegates signing a finite (but potentially large)
amount of reuse is not problematic at all. Relatively large signatures
are not problematic in many applications, and these signatures would
have nicely orthogonal security to discrete log based cryptosystems
and are strong against quantum computers. (And regardless how much of
a threat you personally consider quantum computers on the time scales
you consider relevant, FUD related to them "oh but the XYZ has QC's
see this dwave hype, no reason to use crypto at all" is harmful to the
public.)
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp