Le 12.05.20 à 19:27, Grzegorz Kulewski a écrit :
Disclaimer: I am not a cryptographer either, let's just say I am an advisor.
So, anybody, please correct me, if needed.
1. In terms of key size Curve 25519 and P-256 should have same strength: ~128
bits (== comparing with good symmetric cipher, like AES). Generally decent ECC
strength = ~0.5 * key_length_in_bits.
2. Curve 25519 is very easy to implement in such a way that the implementation
is fast. Implementations of other curves are usually slower.
3. Curve 25519 is generally easier to implement and easier to implement in such
a way that avoids many common security pitfalls, like vulnerability to timing
attacks.
4. The design of Curve 25519 is public, (is believed to be) software patent free and all
constants in it are derived in an easily explainable ways. There are no "magic
numbers" out of nowhere that may be just random or maybe were chosen by designers to
make some kind of backdoor - but you can never prove that they are innocent since
obviously you can't prove that random number was indeed chosen truly randomly.
5. Curve 25519 was designed by DJB, an (mostly) independent security expert
while others were designed/standardized by big organizations that (given
indirect evidence and rumors) may not be that trustworthy.
6. This is why many new (and not only, see SSH) protocols tend to choose Curve
25519. But in PGP you should be careful because many implementations (and/or
older versions) don't support it. So if you want portability/interoperability
you may want some other curve or RSA, especially for the main and signing key.
7. If you want something stronger than Curve 25519 that (is believed to) share
similar benefits try Curve 448 (~224 bits of security). But I am not sure if
PGP implements it (yet?).
Hello,
Thank you all for your quick answers, it is very useful!
RJH's answer sounds like a good piece of advice, but still, at the end,
we HAVE to to choose which algorithm to use when creating new key pairs.
This doesn't prevent me to (try to) be cautious about the general health
of my system.
Grzegorz's points convince me to give a try to Curve 25519. I have
another though:
But in PGP you should be careful because many implementations (and/or older
versions) don't support it. So if you want portability/interoperability you may
want some other curve or RSA, especially for the main and signing key.
I am not sure to fully grasp the consequences of this... Does that mean
that, if I use Curve 25519, some people won't be able to use my public
key to encrypt stuff? Or does that mean that some people won't be able
to read or verify stuff that I encrypt and signs?
Would it be because they use older versions or because some software
programs don't implement Curve 25519?
I guess that Curve 25519 is mentioned in the IETF standard, isn't it?
Many thanks,
Best,
Sylvain
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
