Re: Comparison of RSA vs elliptical keys
Konstantin Ryabitsev wrote: > On Tue, May 12, 2020 at 11:24:57AM +0200, Johan Wevers wrote: > > > For example, a 256 bit elliptic curve key has a similar strength > > > to a symmetric key of 128 bits. > > > > Until, of course, a working quantum computer with more than a few > > qubits is constructed. > > Don't worry, there's literally trillions of dollars worth of bitcoins > riding on the premise that this will never happen. ;) Who knows, maybe in the future it is possible for researchers/companies etc. to build cheaper and easier to produce alternatives? https://www.nature.com/articles/d41586-019-02742-x Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
Le 13.05.20 à 11:54, Damien Goutte-Gattat a écrit : On Wed, May 13, 2020 at 10:02:14AM +0200, Sylvain Besençon via Gnupg-users wrote: RJH's answer sounds like a good piece of advice, but still, at the end, we HAVE to to choose which algorithm to use when creating new key pairs. No you don’t. You can simply use `gpg --gen-key` and let GnuPG create a keypair with the default algorithm (which is currently RSA 2048). Only if you call GnuPG with the `--full-gen-key` command will you be asked to explicitly choose which type of key of want. I am not sure to fully grasp the consequences of this... Does that mean that, if I use Curve 25519, some people won't be able to use my public key to encrypt stuff? If their software does not support Curve 25519, yes. Or does that mean that some people won't be able to read or verify stuff that I encrypt and signs? You encrypt messages to your correspondants with *their* public keys, so the type of *your* key does not matter for that purpose. But they won’t be able to verify your signatures. Would it be because they use older versions or because some software programs don't implement Curve 25519? Yes. That being said, most modern implementations do seem to support curve 25519. As far as I know, it is supported at the very least by * GnuPG (≥ 2.1) * OpenPGP.js * Sequoia-PGP * RNP … which should already cover most of the OpenPGP user base. Of note, it is *not* supported by Symantec PGP, though [1]. I guess that Curve 25519 is mentioned in the IETF standard, isn't it? Not yet. Officially, only the NIST P-256, P-384, and P-521 curves are part of the standard (since RFC 6637). The first mention of Curve 25519 for OpenPGP was in a draft by Werner in 2014 [2]. The draft never made it to a RFC but the 25519 curve is now part of the draft for RFC4880bis, the next revision of the OpenPGP standard [3]. - Damien [1] https://knowledge.broadcom.com/external/article/175932/encryption-desktop-cannot-import-ecc-pgp.html [2] https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-00 [3] https://gitlab.com/openpgp-wg/rfc4880bis Thanks a lot for all these explanations. It's very useful and instructive. I appreciate your patience towards my dummy questions..! :) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
Le 13.05.20 à 12:18, Robert J. Hansen a écrit : "Unless you know what you're doing and why, use the defaults." I've been saying that for twenty years now. I keep thinking that someday someone will actually take it seriously... Thanks for the demonstration! At least, I will now know what I am doing when I'll use the defaults! :) Sylvain ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
Robert J. Hansen wrote: > > RJH's answer sounds like a good piece of advice, but still, at the > > end, we HAVE to to choose which algorithm to use when creating new > > key pairs. > > rjh@maggie:~$ gpg --gen-key > gpg: WARNING: using experimental features from RFC4880bis! > Note: Use "gpg --full-generate-key" for a full featured key generation > dialog. > > GnuPG needs to construct a user ID to identify your key. > > Real name: Delete Me > Email address: del...@example.org > You selected this USER-ID: > "Delete Me " > > Change (N)ame, (E)mail, or (O)kay/(Q)uit? o > We need to generate a lot of random bytes. It is a good idea... > > [snip] > > Where in there was I ever asked to choose an algorithm? In older versions, like 2.0.x for example, it asked for ... > "Unless you know what you're doing and why, use the defaults." I've > been saying that for twenty years now. I keep thinking that someday > someone will actually take it seriously... Super modern OpenPGP implementations like the super awesome sequoia pgp defaults to cv25519... (and does not need to generate a UID for privacy reasons, simply fantastic!) Regards Stefan -- Signal (Desktop) +4915172173279 https://keybase.io/stefan_claas ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
> RJH's answer sounds like a good piece of advice, but still, at the end, > we HAVE to to choose which algorithm to use when creating new key pairs. rjh@maggie:~$ gpg --gen-key gpg: WARNING: using experimental features from RFC4880bis! Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Delete Me Email address: del...@example.org You selected this USER-ID: "Delete Me " Change (N)ame, (E)mail, or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea... [snip] Where in there was I ever asked to choose an algorithm? "Unless you know what you're doing and why, use the defaults." I've been saying that for twenty years now. I keep thinking that someday someone will actually take it seriously... ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
On Wed, May 13, 2020 at 10:02:14AM +0200, Sylvain Besençon via Gnupg-users wrote: RJH's answer sounds like a good piece of advice, but still, at the end, we HAVE to to choose which algorithm to use when creating new key pairs. No you don’t. You can simply use `gpg --gen-key` and let GnuPG create a keypair with the default algorithm (which is currently RSA 2048). Only if you call GnuPG with the `--full-gen-key` command will you be asked to explicitly choose which type of key of want. I am not sure to fully grasp the consequences of this... Does that mean that, if I use Curve 25519, some people won't be able to use my public key to encrypt stuff? If their software does not support Curve 25519, yes. Or does that mean that some people won't be able to read or verify stuff that I encrypt and signs? You encrypt messages to your correspondants with *their* public keys, so the type of *your* key does not matter for that purpose. But they won’t be able to verify your signatures. Would it be because they use older versions or because some software programs don't implement Curve 25519? Yes. That being said, most modern implementations do seem to support curve 25519. As far as I know, it is supported at the very least by * GnuPG (≥ 2.1) * OpenPGP.js * Sequoia-PGP * RNP … which should already cover most of the OpenPGP user base. Of note, it is *not* supported by Symantec PGP, though [1]. I guess that Curve 25519 is mentioned in the IETF standard, isn't it? Not yet. Officially, only the NIST P-256, P-384, and P-521 curves are part of the standard (since RFC 6637). The first mention of Curve 25519 for OpenPGP was in a draft by Werner in 2014 [2]. The draft never made it to a RFC but the 25519 curve is now part of the draft for RFC4880bis, the next revision of the OpenPGP standard [3]. - Damien [1] https://knowledge.broadcom.com/external/article/175932/encryption-desktop-cannot-import-ecc-pgp.html [2] https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-00 [3] https://gitlab.com/openpgp-wg/rfc4880bis signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Comparison of RSA vs elliptical keys
Le 12.05.20 à 19:27, Grzegorz Kulewski a écrit : Disclaimer: I am not a cryptographer either, let's just say I am an advisor. So, anybody, please correct me, if needed. 1. In terms of key size Curve 25519 and P-256 should have same strength: ~128 bits (== comparing with good symmetric cipher, like AES). Generally decent ECC strength = ~0.5 * key_length_in_bits. 2. Curve 25519 is very easy to implement in such a way that the implementation is fast. Implementations of other curves are usually slower. 3. Curve 25519 is generally easier to implement and easier to implement in such a way that avoids many common security pitfalls, like vulnerability to timing attacks. 4. The design of Curve 25519 is public, (is believed to be) software patent free and all constants in it are derived in an easily explainable ways. There are no "magic numbers" out of nowhere that may be just random or maybe were chosen by designers to make some kind of backdoor - but you can never prove that they are innocent since obviously you can't prove that random number was indeed chosen truly randomly. 5. Curve 25519 was designed by DJB, an (mostly) independent security expert while others were designed/standardized by big organizations that (given indirect evidence and rumors) may not be that trustworthy. 6. This is why many new (and not only, see SSH) protocols tend to choose Curve 25519. But in PGP you should be careful because many implementations (and/or older versions) don't support it. So if you want portability/interoperability you may want some other curve or RSA, especially for the main and signing key. 7. If you want something stronger than Curve 25519 that (is believed to) share similar benefits try Curve 448 (~224 bits of security). But I am not sure if PGP implements it (yet?). Hello, Thank you all for your quick answers, it is very useful! RJH's answer sounds like a good piece of advice, but still, at the end, we HAVE to to choose which algorithm to use when creating new key pairs. This doesn't prevent me to (try to) be cautious about the general health of my system. Grzegorz's points convince me to give a try to Curve 25519. I have another though: But in PGP you should be careful because many implementations (and/or older versions) don't support it. So if you want portability/interoperability you may want some other curve or RSA, especially for the main and signing key. I am not sure to fully grasp the consequences of this... Does that mean that, if I use Curve 25519, some people won't be able to use my public key to encrypt stuff? Or does that mean that some people won't be able to read or verify stuff that I encrypt and signs? Would it be because they use older versions or because some software programs don't implement Curve 25519? I guess that Curve 25519 is mentioned in the IETF standard, isn't it? Many thanks, Best, Sylvain ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
