I second this motion. After the recent revelations about NSA shenanigans regarding NIST and with Bruce Schneier himself saying he is highly suspicious of NIST curves, I think it behooves the OpenPGP standards group to think about alternative curves. Of course, some users of OpenPGP will need NIST compliance, and that's fine. It can still be included as long as the rest of us (who don't like being played for fools) have alternatives available.
I don't think there is a better place to start than with djb's curve25519. It is faster than the NIST curves, can be shown to have "nothing up the sleeve" and appears to be quite secure. Djb even gave a talk a number of years ago where he compared it to NIST curves and even raised his own suspicions about how those curves were generated. Moreover, djb has provided a lot of reference implementations for it (with full C code) on his site, thus implementation is more of a "will to do it" than a technical challenge. It's good to see that Werner has already made the suggestion to implement different curves. Let's hope that the OpenPGP working group agrees with his recommendation and that we can finally see (non-tampered with) ECC put into use in Gnupg. -- View this message in context: http://gnupg.10057.n7.nabble.com/Support-for-additional-ECC-Curves-in-GnuPG-gcrypt-tp32408p32563.html Sent from the GnuPG - User mailing list archive at Nabble.com. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
