> You may wish to visit https://safecurves.cr.yp.to/. I read this page MANY times, and generally I am also against using P-256/384/521. However I believe that risk of using non-EC DH under 2048 bits (Logjam) and SHA-1 is higher, and also take speed into consideration. > However, you need to assume that you can trust that the standard curves have not been heavily pre-computed too. They may not only be pre-computed, but also chosen to be easy to pre-compute. See https://bada55.cr.yp.to/vr.html. >I am given to understand that NIST is going to be considering EdDSA and things like Curve25519 and Curve448 in the coming year for release. Are you confusing IETF and NIST? IETF is heavily using these two curves, but I did not hear about NIST working at including them into their standards. >The other thing happening is the consideration of using paired curves. Right now that is not a part of the SSHv2 protocol, but the field continues to get new research. If by paired curves you mean converting the key between Curve25519 and Ed25519 form, that's generally not considered to be as secure as using separate keys. On Fri, Feb 15, 2019 at 11:34 AM Mark D. Baushke <mdb@xxxxxxxxxxx> wrote: > > Yegor Ievlev <koops1997@xxxxxxxxx> writes: > > > I referred to the fact that there is no value for 4096-bit groups at > > all. For higher strengths than 128 bits one should probably not use > > non-EC crypto at all, as the document suggests. > > For Diffie-Hellman 4096-bits, running one of the mathematical methods > gives you on the order of 150 bits of security. See RFC 3526 section 8. > > For a 190-bits of security, you need a Diffie-Hellman of 8k-bits in > size. > > Of course, using a larger Q-ordered subgroup such as we get with > safe-primes helps to increase the computation time needed even beyond > the standard sieve techniques. > > The speed of an ECC computation is indeed faster than FFC. However, you > need to assume that you can trust that the standard curves have not been > heavily pre-computed too. > > You may wish to visit > > https://safecurves.cr.yp.to/ > > for an interesting view on ECDH and ECDSA technology. > > I am given to understand that NIST is going to be considering EdDSA and > things like Curve25519 and Curve448 in the coming year for release. > > The other thing happening is the consideration of using paired curves. > Right now that is not a part of the SSHv2 protocol, but the field > continues to get new research. > > -- Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev