[OTR-dev] Fwd: Some DH groups found weak; is OTR vulnerable?
Taylor R Campbell
campbell+otr at mumble.net
Thu Jun 4 12:58:53 EDT 2015
Date: Mon, 1 Jun 2015 23:46:40 +0000
From: Gregory Maxwell <gmaxwell at gmail.com>
Though if we are nitpicking curve choices for OTR; As far as OTR goes,
I am not sure why instead the recently multiply-invented 2^521-1 field
curve wouldn't be used as we know from the use of 1500bit DH there is
adequate channel capacity is available; and OTR does not involve
handling hundreds of messages per second, but it may protect secrets
which need to stay private for decades.
In theory that sounds like a good choice. But in practice, there is a
plethora of freely available constant-time (fast|portable)
high-quality code implementing Curve25519, and I don't know of any
such implementations of E-521, for DH or for signatures.
In SUPERCOP there is some code for Ed448-Goldilocks, another
high-security high-performance curve with a rho security margin
between those of Curve25519 and E-521. But it's not as widely
available as Curve25519, and I can't speak to its quality.
(That said, for confidentiality multiple decades in the future, one
might want to focus more on post-quantum key exchange than on rho
security of elliptic curves.)
More information about the OTR-dev
mailing list