On Oct 17, 2013, at 2:09 PM, Gregory Maxwell <gmaxwell(_at_)gmail(_dot_)com>
wrote:
With the recent concerns about the integrity of the NIST specified ECC
curves many protocols are looking to non-NIST alternatives for their
EC crypto needs.
Is anyone considering using Curve3617 in OpenPGP? The case for the
design approach is made at http://safecurves.cr.yp.to/ and is
generally pretty compelling.
Andrey would know best, but my reading of RFC 6637 leads me to think that all
you need is an OID for the curve and you're golden.
We're going to be using Curve3617 for Silent Circle as a replacement for P-384.
[Arguably for OpenPGP use it would be nice to see a ~1024 bit curve
produced with the same engineering methodology: for most uses of
OpenPGP performance is not a major limitation (1024 bit ECC could be
adequately fast on an embedded device) nor are 128 bytes more of
signature data, but long term security is... Index calculus results in
security that scales similar to integer factoring, so there is an
argument that even unknown breakthroughs that render common ECC
insecure would simply be reducing it to RSA like security.]
Why ever would you want a 1Kbit curve? Sure, arguably, but please make the
argument. As it is, Curve3617 is more than one really needs. I'm genuinely
interested.
Jon
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp