search

jerson / flutter-openpgp

OpenPGP for flutter made with golang for fast performance with support for android, ios, macos, linux, windows, web and hover
https://pub.dev/packages/openpgp
MIT License
67 stars 23 forks source link

Support for ECC keys #22

Open Tsuribori opened 3 years ago

Tsuribori commented 3 years ago

It would be great if ECC keys would also be supported instead of just RSA.

jerson commented 3 years ago

Hi @Tsuribori thanks for report the issue, im not an expert with ECC but im gonna research about that, main repo is a go project https://github.com/jerson/openpgp-mobile right now im working migrating from protobuf to flatbuffers, after that binaries will be like 3mb less , but if you have some info about that would be great

tallinn1960 commented 2 years ago

One would be able to implement that in plain dart using pointycastle without the need to go that deep into an understanding how ECC works, however, the architecture of your package is quite different. As you seem to do all cryptography in go mileage may vary: is there a potent crypto library like there is for java (bouncycastle) or dart (pointycastle) or C (openssl)?

Basically ECC encryption support for pgp requires the implementation of two algorithms which are in pointycastle already: ECDH Basic Key Agreement and ConcatKDF key generation function. The Basic Key Agreement provides a shared secret computable by any intended receiver using his private key and the senders public key and ConcatKDF derives a message dependent symmetric encryption key from that shared secret (so the message is encrypted with an individual key) which as well can be computed by the receiver of the message.

ECC signature support requires the implementation of ECDSA which is as well in pointycastle.

ECC cryptography has the advantage to provide equivalent security to RSA but with considerably smaller keysizes and thus computes considerably faster (e.g. a 256-Bit ECC key provides the same security as 3096-Bit RSA). That is why crypto smartcards nowadays do not use RSA anymore (or deprecate its use in favor of ECC). Their processors are slow so they need every advantage they may get.

Note that when dealing with e-mail, the time-consuming step (given that every operation is run by the same CPU) is the symmetric encryption or decryption or hashing of the message parts. This is where performance really matters on Smartphones and PCs. Compared to that the asymmetric operations do not matter. So there is really no need to implement asymmetric operations in anything faster than Dart.