Hacker News new | ask | show | jobs
by vabmit 3020 days ago
In case anyone that doesn't follow the development of the library closely missed it, the main improvement in this version is the introduction of ECC support. ECC tends to be able to provide equivalent levels of security as traditional "big prime" cryptography (like RSA) with less computationally intensive operations. This is especially important in a library like OpenPGPjs that is primarily meant for in browser based web usage because it should make things, like sending and receiving mail, faster when ECC is used over older PGP public key encryption systems. For people that use ProtonMail's web based crypto on mobile or tablet devices, a switch to ECC would result not just in similar performance improvements but also in lower battery usage.

Currently, ProtonMail uses RSA keys, but this addition of ECC support to their web encryption library may mean that they are about to start switching users to ECC keys. Because using "larger" (when compared with equivalent theoretical strength RSA keys, for example) ECC keys is less resource intensive than using higher security keys in some other forms of cryptosystems (like RSA) it may also be an indication that ProtonMail is preparing to upgrade users to higher security/stronger keys.

Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.
3 comments
chapill 3020 days ago
>Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.

Not what I've heard.

https://threatpost.com/nsas-divorce-from-ecc-causing-crypto-...

link
Shoothe 3020 days ago
> Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.

Personally I'd stay away from NIST recommended curves for long term keys (as used in OpenPGP). Ed25519 looks nice and there is experimental support for it in gnupg but it's not post quantum unfortunately.

link
dsacco 3020 days ago
> Ed25519 looks nice and there is experimental support for it in gnupg but it's not post quantum unfortunately.

That's not a problem of NIST recommendations. There aren't any post-quantum secure elliptic curve public-key systems. The fundamental computational problem used by ECC public-key cryptography isn't post-quantum secure, so it's not really a matter of curve choice.

link
Shoothe 3019 days ago
The problem with NIST curves (vs ed25519) is the choice of parameters (it is not clear why they have such and such values) and the implementation edge cases. You already know it but maybe someone else will find it interesting: https://safecurves.cr.yp.to/

The comment about post quantum crypto did not relate to ECC directly. I just would like to see some PQ crypto in OpenPGP :)

link
dsacco 3020 days ago
> In case anyone that doesn't follow the development of the library closely missed it, the main improvement in this version is the introduction of ECC support.

Wow...I'm sort of shocked that wasn't a v1.0 consideration.

> ECC tends to be able to provide equivalent levels of security as traditional "big prime" cryptography (like RSA) with less computationally intensive operations. This is especially important in a library like OpenPGPjs that is primarily meant for in browser based web usage because it should make things, like sending and receiving mail, faster when ECC is used over older PGP public key encryption systems. For people that use ProtonMail's web based crypto on mobile or tablet devices, a switch to ECC would result not just in similar performance improvements but also in lower battery usage.

In particular, elliptic curves have smaller parameters, which allow for smaller keys at the same bit security level. For example, to achieve 128-bit security, an RSA/DLP modulus must be 3072 bits. Elliptic curves achieve the same security level with only 256-bit parameters. They are also faster for most operations, but RSA is still technically faster for signature verification.

> Many cryptographers and organizations, including the US Government, have recommended for a long time that people migrate from older "big prime cryptography" based cryptosystems to ECC based cryptosystems for increased security.

True, but elliptic curve cryptography is just as vulnerable to quantum computers, however long off that problem may be.

link
zahllos 3020 days ago
> Wow...I'm sort of shocked that wasn't a v1.0 consideration.

Given that you need to pass --expert to gpg 2.1 as of right now to even generate an ECC keypair for PGP use (nor use one on an OpenPGP smartcard or yubikey), I can sort of forgive the lack of ECC in 1.0. I don't think it sees wide usage for PGP keys (some clients don't support it, also).

However, as of the last time I tried Protonmail (about 10 minutes ago to check this is all still true) you can't: revoke/reissue your PGP key, validate outside signatures (either on encrypted messages or signed, plaintext messages) or send pure-PGP mail to users outside of protonmail (there's an encrypt for non-protonmail users option, that sends a link instead). Essentially as another commenter has said, you can't really do PGP with ProtonMail.

link
jlgaddis 3019 days ago
I don't use ProtoMail but it sounds like they are "managing" users' private keys!? Am I understanding this correctly? ProtonMail has access to their users' private keys? And they are using web-based encryption, delivered via JavaScript?

And people trust them!?

link
bartbutler 3020 days ago
This is about to change dramatically.
link
wslh 3020 days ago
> Wow...I'm sort of shocked that wasn't a v1.0 consideration.

My company contributed the ECC support for enabling messaging using the same keys as Bitcoin and other cryptocurrencies. See https://news.ycombinator.com/item?id=16548015

link
kfrzcode 3020 days ago
Aren't there multiple operating quantum computers right now? Isn't this a very imminent problem?
link
zahllos 3020 days ago
Yes and no. To simplify matters, you need not just a quantum computer but such a machine with the right sort of qubits. The right sort of qubits being logical qubits, not physical, many of which are needed for error correction.

It's not clear whether we can currently create a machine with sufficient logical qubits to run Shor's algorithm in a meaningful way.

However, out of an abundance of caution, we're "starting" now (some designs have existed for longer but this (NIST PQC) is the first competition, which focuses minds) so as to have something ready when/if a quantum computer becomes a reality.

link
equalunique 3020 days ago
^^^this

A DARPA researcher explained to me that a quantum computer's qbits would have to be 99.9999999999% error-free (that's 12 nines) in order to perform the necessary steps of Shor's quantum factorization algorithm. Current state of the art qbits are 99.9-99.99% error-free. Basically, we have a long way to go.

link
bartbutler 3020 days ago
Depends what qualifies as a quantum computer. It is questionable whether current 'quantum computers' deserve the name.
link