Score:1

Which elliptic curve was used by Thunderbird OpenPGP and which bitlength?

in flag

If one looks at Account Settings > End-to-End-Encryption > Add Key and creates a new key then gets the option EC. But you can't choose the bit length nor does one know which curve is used.

Anyone who knows that? Anyone who knows how secure that is?

kelalaka avatar
in flag
https://datatracker.ietf.org/doc/html/rfc6637
Fukai Mizumi avatar
in flag
@kelalaka thanks, but I already knew that document ... the problem is: I generated it with Thunderbird (which uses OpenPGP). While there is a variety of EC for OpenPGP, there is only the choice "EC" in Thunderbird. They do not mention bitlength or which curve they use. Which is weird, since OpenPGP provides different curves.
Score:1
in flag

I've downloaded the source code from the developer site. All the encrypted related parts under the libgcrypt

Libgcrypt is a cryptography library developed as a separated module of GnuPG. It can also be used independently of GnuPG, but depends on its error-reporting library Libgpg-error.

And those are listed as the supported curve in the library

  • NIST (P-256, P-384, P-521)
  • SECG (secp256k1)
  • ECC Brainpool / RFC 5639 (P256r1, P384r1, P512r1)
  • Bernstein Curve25519
  • Curve448
  • GOST R 34.10-2012 (RFC 7091)
  • SM2

Which one is used? Search files excluding the libgcrypt directory since it is the exact copy of it.

A grep grep -r curve tools/ build/ calendar/ chat/ mail mailnews/ python/ suite/ taskcluster/ tools/

in the command line displays only

curve25519

This curve is used for public-key signature system as Ed2559.

Curve25519 is also known as the Bernstein curve. It is one of the most secure curves for the listed criteria as in the safecurves.cr.yp.to/.

If you want to read more about how secure the curve is, see our canonical answer;

And note that if ever Shor's period finding algorithm is built with enough qbits the curve will be no more secure.

Also;

Edwards25519 aims for a ‘128-bit security level

Fukai Mizumi avatar
in flag
Thank you very much!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.