[OTR-dev] IFF meeting notes - OTRv4

Ian Goldberg ian at cypherpunks.ca
Thu Mar 17 18:09:41 EDT 2016


On Thu, Mar 17, 2016 at 10:54:25PM +0100, jvoisin wrote:
> > Just to slightly hedge against elliptic curves being weaker than we 
> > think, or even to quantum computers with hundreds but not thousands
> > of qubits, the whole OTRv4 protocol (which itself uses ECC such as 
> > curve25519 or maybe one of the 400-ish-bit ones) is wrapped in a 
> > 2048-bit mod p Diffie-Hellman.  The outer layer is not explicitly 
> > authenticated.
> 
> Isn't 2048-bit mod p Diffie-Hellman a bit short for a modern protocol?
> At least, this is what the BSI is saying: https://www.keylength.com/en/8/

I don't think it's a problem, particularly since it's just the wrapper.
And, although we don't have the protocol nailed down yet, I'm already
worried about the size of the key exchange messages.  We'll see how it
goes.


More information about the OTR-dev mailing list