Hi Yegor, Yegor Ievlev <koops1997@xxxxxxxxx> writes: > I read this page MANY times, and generally I am also against using > P-256/384/521. However I believe that risk of using non-EC DH under > 2048 bits (Logjam) and SHA-1 is higher, and also take speed into > consideration. I wrote RFC8268 as I also had many of these same concerns, but I tend to think that 4k bit DH primaes are good enough security for aes128-ctr or aes128-gcm today. If you have a need for more security, then the computation tradeoffs start to become cumbersome. I regret that I am behind on revising the draft-ietf-curdle-ssh-curves to address the Area Director comments to get that published as an RFC so that more standards bodies will be able to specify the use of Curve25519 or Curve448 in the SSH protocol. > Mark Baushke <mdb@xxxxxxxxxxx> writes: > > I am given to understand that NIST is going to be considering EdDSA > > and things like Curve25519 and Curve448 in the coming year for > > release. > > Are you confusing IETF and NIST? IETF is heavily using these two > curves, but I did not hear about NIST working at including them into > their standards. For Curve25519 and Curve448 references, this news announcement may be of interest: Transition Plans for Key Establishment Schemes using Public Key Cryptography October 31, 2017 https://csrc.nist.gov/News/2017/Transition-Plans-for-Key-Establishment-Schemes has this text: In addition, NIST guidelines on Elliptic Curve Cryptography are also being revised to propose the adoption of new elliptic curves specified in the Internet Engineering Task Force (IETF) RFC 7748. The upcoming draft of SP 800-186, which will specify approved elliptic curves, will include the curves currently specified in FIPS 186-4 and two additional curves: Curve25519 and Curve448. Their associated key agreement schemes, X25519 and X448, will be considered for inclusion in a subsequent revision to SP 800-56A. The CMVP does not intend to enforce compliance with SP 800-56A until these revisions are complete. For EdDSA you may wish to look here: https://csrc.nist.gov/CSRC/media/Publications/sp/800-131a/rev-2/draft/documents/sp800-131Ar2-draft.pdf On page iii is this text: 4. A revision of FIPS 186 (FIPS 186-5) will soon be available for public comment. This revision will include EdDSA. SP 800-131A takes this into account. See also references in sction 3 on line 162 with footnote 17 on page 6 and in Table 2 on page 7 and on line 192 on page 8 and line 222 on page 9. The new draft of FIPS Special Publication 186-5 is not yet available for review as of today. > If by paired curves you mean converting the key between Curve25519 and > Ed25519 form, that's generally not considered to be as secure as using > separate keys. No. The following will give you a better understanding for the nature of the field that is emerging. An Introduction to Pairing-Based Cryptography by Alfred Menezes https://www.math.uwaterloo.ca/~ajmeneze/publications/pairings.pdf Pairing-Based Cryptography At High Security Levels by Neal Koblitz and Alfred Menezes http://www.mathnet.or.kr/mathnet/preprint_file/cacr/2005/cacr2005-08.pdf Pairing-Friendly Curves https://tools.ietf.org/html/draft-yonezawa-pairing-friendly-curves-00 Optimal Ate Pairing https://tools.ietf.org/html/draft-kato-optimal-ate-pairings-01 It is not a mature enough field yet, but it is an active area of research. I hope you find this information useful. Some folks may find it useful to visit the Internet Research Task Force crypto Forum Research Group email archives. irtf.org has a pointer to the Charter for the Research Group and that in turn has a pointer to the cfrg mailint list. and jabber chat address. Enjoy! -- Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev