> Just to slightly hedge against elliptic curves being weaker than we > think, or even to quantum computers with hundreds but not thousands > of qubits, the whole OTRv4 protocol (which itself uses ECC such as > curve25519 or maybe one of the 400-ish-bit ones) is wrapped in a > 2048-bit mod p Diffie-Hellman. The outer layer is not explicitly > authenticated.
Isn't 2048-bit mod p Diffie-Hellman a bit short for a modern protocol? At least, this is what the BSI is saying: https://www.keylength.com/en/8/ (also, thanks for the notes!) _______________________________________________ OTR-dev mailing list [email protected] http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
