ietf-openpgp
[Top] [All Lists]

[openpgp] Curve448 in ECDH

2021-02-27 17:38:59
On 2021-02-23 at 02:19:03, Paul Wouters wrote:

- Incorporated RFC 6637 (ECDSA and ECDH, using NIST curves)
- Incorporate Curve25519 for ECDH

Most of what's there looks fine (excepting the v5 fingerprint thing I
mentioned elsewhere).

I'm wondering, however, if there's consensus for adding Curve448 as well
for ECDH.  (I would be in favor of it.)  I don't have an OID for it, but
I believe RFC 8410 defines one, although that RFC defines a different
OID for Curve25519 than I see here in the spec.

The reason I ask is that in many implementations, of the NIST curves,
only P-256 is implemented in a constant-time manner, whereas Curve25519
and Curve448 are almost always implemented in a constant-time manner.
For example, Go has this problem.  That's in addition to the pervasive
questions about the selection of the parameters, which I want to
acknowledge as a concern many people have but don't want to debate
extensively.

It therefore makes sense to provide a curve that doesn't have those
limitations for those cases where users or specifications require a
security level of 192 bits or greater.
-- 
brian m. carlson (he/him or they/them)
Houston, Texas, US

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp