Support of Curve25519

[fsuel]

Hi, Do you plan to support Curve 25519 as Gnuk (v 1.1.9 :https://github.com/ggkitsas/gnuk/blob/master/NEWS) , GnuPg (v 2.1 : https://gnupg.org/faq/whats-new-in-2.1.html) and Openkeychain (v 4.9 : https://apkdot.com/apk/openkeychain/openkeychain/openkeychain-easy-pgp-5-1-2/) do and when ?

It would be great to have smartcard and usb/gnuk token which support Curve25519, the first one for smartphone/NFC usage and the last one for PC.

Best regards

[af-anssi]

It is not planned to support Curve25516 in SmartPGP for two reasons:

1. it is not (yet?) part of OpenPGP standard;
2. Javacard (3.0.x) does not offer native support for Curve25519 and does not offer enough low-level primitives to implement it at the applet level (https://stackoverflow.com/questions/31807585/using-curve25519-on-javacard)

[dschuermann]

There is a new project on the horizon providing re-implementations of low-level primitives, but I am not sure how helpful this is: http://opencryptojc.org/

[fsuel]

If Curve25519 is not yet a OpenPGP smartcard specification (https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.3.pdf), it is implemented by Gnuk witch is OpenPGP card compliant and other Nitrokeys, Yubikeys.

IANIX web site (https://ianix.com/pub/curve25519-deployment.html) talk about things that use Curve255196 and refere to Javacard: jc_curve25519 from David Oswald. But i don't know if that can help you !

[Alixerid]

I would like to add a point for motivation to support Curve25519 in SmartPGP:

This project is great because it supports both strong RSA keys with 4096 bits and NFC. Unfortunately, there seems to be no smart card hardware on the market that supports more than 2048 bit key size and has an NFC interface. Since 2048 bit RSA keys are not deemed secure in the longer term anymore stronger keys are becoming more important for any user. Smartphone users who can leverage the convenience of NFC smart cards would really benefit from Curve25519 support in this project.

[af-anssi]

@dschuermann Thank you for the link !

@fsuel Although [the equation can be converted] (http://samuelkerr.com/?p=431), ECDSA is not the algorithm to be used for signature/authentication with this curve (see here). Implementing this algorithm requires low level primitives not available in the JavaCard API (yet ?).

@Alixerid You can already use implemented ECC with SmartPGP with the several curves (NIST P-256, NIST P-384, NIST P-521, brainpool p256r1, brainpool p384r1 and brainpool p512r1) with OpenKeychain on mobiles devices, but also with GnuPG on PC.

[paride]

The newly released Java Card 3.1 specification supports x25519 and Ed25519:

https://docs.oracle.com/en/java/javacard/3.1/specnotes/index.html

[martinpaljak]

But cards with support are ages away

[vvug]

@martinpaljak sure, but the standard is there now, it is only a matter of time, hopefully. Pity that Gnuk can't run on smartcards (at least I didn't find any which is able to run it...).

[martinpaljak]

Nothing forbids current cards from implementing proprietary extensions, like Edwards curves (I've heard some are available from Asian manufacturers, targeting JC 3.0.1). Also nothing forces the standard to be implemented fully on a future card (look at JCSupport to see the actual support of algorithms on different cards).

But it is specified, indeed.

[af-anssi]

SmartPGP will support Curve25519 on cards compliant with JavaCard 3.1 only.

[wreps8Owt]

It may be done by using the achievement of https://github.com/david-oswald/jc_curve25519 .

[af-anssi]

Thank you for the link. For SmartPGP we will rely only on JavaCard platform implementation for security reasons.

[yaperez-anssi]

Thank you for the link. For SmartPGP we will rely only on JavaCard platform implementation for security reasons.

Are there recent updates on ED25519 support on JC3.1, and availability of JC3.1 platforms (a quick search didn't reveal any).