Hello,
[ It was me to start this discussion at the gnupg-devel list.
As it's better to continue here, I redirect my reply. ]
On 2014-01-31 at 09:44 +0100, Werner Koch wrote:
On Fri, 31 Jan 2014 08:50, gniibe(_at_)fsij(_dot_)org said:
When Curve25519 will be supported in GnuPG, I think that it's only for
ECDH (since people use EdDSA with Ed25519, instead of ECDSA with
I think it makes more sense to use an Ed25519 based ECDH in OpenPGP than
to require the implementation of its Montgomery variant Curve25519.
This would benefit small OpenPGP implementation which won't do the
current MUST algorithms but anyway provide compatibility with general
purpose OpenPGP tools. There might be a small performance drawback but
can be justified by a more compact implementation. The current ECDH
algo ID can still be used for this if we go without point compression.
ECDH with Ed25519 would be better for some implementations. For a
specification, I think that it is straightforward to define ECDH with
Curve25519 (where curve point is represented by Montgomery curve).
By the way, I realized that Curve25519 has cofactor 8. It seems for
me that many other curves these days have cofactor > 1.
RFC 6637 assumes that cofactor is 1. Here is another place to
consider.
--
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp