Hiya,
Just on one point, and apologies in advance to those for whom
this is repetitive, but I guess not everyone here is on the
CFRG list...
On 10/04/15 22:51, Christoph Anton Mitterer wrote:
f) standardize the two new curves coming out of the CFRG: 25519 and
curve448 ("goldilocks") for both signatures and encryption (Werner
has already started this process for 25519 signatures)
I haven't followed CFRG the last weeks,... are the plans for anything
at/beyond the 512 level dead?
CFRG have reached consensus on the "goldilocks" curve which has
a 448-bit prime as it's higher work-factor curve (448 presumably
meaning a work factor of about 2^224). That's in addition to
curve25519 which has work factor ~2^128.
I don't believe there is likely to be an even higher work-factor
curve documented by CFRG as part of its current phase of work as
they are focused on meeting the immediate needs of TLS and other
IETF WGs (and W3C) at present, and they have a bunch of work to
do to specify, and get consensus on, a signatures scheme for the
two curves they've so far selected.
A number of people also made the argument that if a curve with
work factor ~2^224 is ever busted then it'd not be at all a
surprise if whatever approach worked for that also worked just
fine for a work-factor 2^256 curve. In other words, that there's
no really good reason to want a curve based on a 512 bit prime
if one has goldilocks.
Cheers,
S.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp