On Tue, 17 Dec 2013 20:01, anth...@cajuntechie.org said: > I know that gnupg is experimenting with ECC and I'm wondering which > curves the team has decided to use. I know there are some curves that > are now suspected of being tainted by the NSA through NIST. Has the > gnupg team ruled using those curves out?
We will support the curves specified in RFC-6637. These are the NIST curves P-256, P-384, and P-521. I recently added support for Brainpool P256r1, P384r1, and P512r1 to make some some European governments happy. I the wake of recent events and due to the fear of many people that the NIST curves might have some secret properties, I added support for Bernstein et al's Ed25519 signature scheme. The problem here is that it is not really covered by RFC-6637 because it does not use the ECDSA signature scheme but a Schnorr like scheme named EdDSA. Thus for a proper implementation we need to assign a new algorithm number to it which in turn means to write another RFC. I recently met with Phil Zimmermann and we talked about the OpenPGP future. It is pretty clear that we need to replace the current algorithms with elliptic curves to get a better security margin for the future. Alhough there are no technical reasons not to use existing standard curves, we better take the users unhappiness with NIS curves in account and move on to curves like Ed25519 which are easier to use and are an outcome of public research. Bernstein and Lange are currently working on a 384 bit curve and it is very likely that this one will also be added to GnuPG. Salam-Shalom, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users