Date: Mon, 1 Jun 2015 23:46:40 +0000 From: Gregory Maxwell <gmaxw...@gmail.com>
Though if we are nitpicking curve choices for OTR; As far as OTR goes, I am not sure why instead the recently multiply-invented 2^521-1 field curve wouldn't be used as we know from the use of 1500bit DH there is adequate channel capacity is available; and OTR does not involve handling hundreds of messages per second, but it may protect secrets which need to stay private for decades. In theory that sounds like a good choice. But in practice, there is a plethora of freely available constant-time (fast|portable) high-quality code implementing Curve25519, and I don't know of any such implementations of E-521, for DH or for signatures. In SUPERCOP there is some code for Ed448-Goldilocks, another high-security high-performance curve with a rho security margin between those of Curve25519 and E-521. But it's not as widely available as Curve25519, and I can't speak to its quality. (That said, for confidentiality multiple decades in the future, one might want to focus more on post-quantum key exchange than on rho security of elliptic curves.) _______________________________________________ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
