[PATCH] curve25519-sha256 at libssh.org key exchange proposal
mancha
mancha1 at hush.com
Wed Nov 6 06:40:23 EST 2013
Aris Adamantiadis <aris <at> 0xbadc0de.be> writes:
> Hi,
>
> For my part I chose Curve25519 because it's there since a while and had
> time to be studied. The other curves you mention have all been
> introduced in 2013. I don't know enough mathematics to criticize any of
> these curves, but letting some times for others to do so seems prudent.
Aris:
Thank you for your reply.
Let me follow-up my post to make sure I am not misunderstood.
Given questionable explanations/rationale surrounding constant selection
in some NIST curves, there is genuine justification for considering
alternatives. I thank you for your valuable contribution with this and
thank the OpenSSH developers for embracing it.
Dr. Bernstein's track record is quite impressive and like you I share
the belief that generally in cryptography "older is better". More
specifically, Curve25519 is impervious to Pohlig-Hellman and twist
attacks. Also, we ensure primes are large enough to mitigate attacks
such as Pollard's rho, Shank's, etc. As far as implementation, NaCl's
certainly appears quite crisp (https://twitter.com/tweetnacl).
That said, a key lesson from the NIST curve controversy is the
importance of retaining a healthy dose of skepticism. And I do.
Finally, there's a high value to the OpenSSH community in expanding
options available (kexalg, mac, cipher, etc.) so let me express my
hope for continued vigorous activity in this area.
Many thanks.
--mancha
More information about the openssh-unix-dev
mailing list