← Back to context

Comment by teunispeters

12 days ago

I look forward to crypto libraries not openssl that can provide support for ED25519 and ED448, as well as a wide range of EC keys.

These are requirements for my current work, and OpenSSL 3+ was the only crypto library that delivered.

5 comments

teunispeters

Reply
fsmv  11 days ago

The go standard library has an implementation of ed25519 although I did not find ed448 it also has some NIST curves. There are a few libraries that do ed448 like one from cloudflare.

  • tob_scott_a  11 days ago

    To test a Claude Skill for analyzing cryptographic implementations of cryptographic side-channels ([1] see constant-time-analysis), I had Claude vibe-code an Ed448 implementation.

    This includes:

    1. The Ed448 signature algorithm

    2. The Edwards448 elliptic curve group (which could conceivably be used for ECDH)

    3. The Decaf448 prime-order group (a much better target for doing non-EdDSA things with)

    I've been putting off reviewing it and making the implementation public (as it was an exercise in "is this skill a sufficient guard-rail against implementation error" more than anything), but if there's any interest in this from the Go community, I'll try to prioritize it later this year.

    (I'm not publishing it without approval from the rest of the cryptography team, which requires an internal review.)

    But if you're curious about the efficacy of the Skill, it did discover https://github.com/RustCrypto/signatures/security/advisories...

    [1] https://github.com/trailofbits/skills

some_furry  12 days ago

What do you need Ed448 for? I've not seen much real world deployments of this algorithm, so I'm very curious about this.

  • adrian_b  12 days ago

    Presumably one would want to use Ed448 in order to achieve for session key establishment or for digital signing a level of security comparable to using for encryption AES with a 256-bit key.

    ED25519 has a level of security only comparable with AES with an 128-bit key.

    Nowadays many prefer to use for encryption AES or similar ciphers with a 256-bit key, to guard against possible future advances, like the development of quantum computers. In such cases, ED25519 remains the component with the lowest resistance against brute force, but it is less common to use something better than it because of the increase in computational cost for session establishment.

    • some_furry  11 days ago

      > Presumably one would want to use Ed448 in order to achieve for session key establishment or for digital signing a level of security comparable to using for encryption AES with a 256-bit key.

      Ed448 is an instantiation of EdDSA (the Edwards curve digital signature algorithm) over the Edwards448 curve (a Goldilocks curve), as defined in RFC 7748 and RFC 8032.

      Key establishment would use X448 (formerly "Curve448") for Diffie-Hellman, although ECDH over Edwards448 is also (strictly speaking) possible.

      Using Ed448 for key exchange is a TypeError.

      But that's neither here nor there. I was asking about real world applications that need Ed448 specifically, not a vague question of how cryptography works.

      Check my blog if you need a temperature check for my familiarity with the subject: https://soatok.blog/tag/security-guidance/

      > ED25519 has a level of security only comparable with AES with an 128-bit key.

      No. The whole notion of "security levels" is a military meme that doesn't actually meaningfully matter the way people talk about it.

      There are about 2^252 possible Ed25519 public keys. Recovering a secret key from Pollard's rho takes about 2^126 or so computations (where each computation requires a scalar multiplication), and that's why people pair it with an equivalent "security level" as AES-128, but the only meaningful difference between the algorithms (besides their performance footprint) is security against multi-user attacks.

      With a 256-bit AES key, you can have 2^40 users each choose 2^50 keys and still have a probability of key reuse below 2^-32.

      With 128-bit AES keys, you don't have that guarantee. 2^90 keys is well beyond the birthday bound of a 128-bit function, which means the probability of two users choosing the same key is higher than 2^32. (It's actually higher than 50% at 2^90 out of 2^128.)

      See also: https://soatok.blog/2024/07/01/blowing-out-the-candles-on-th...

      However, despite the "security level" claims, Ed25519 has 2^252 keys. The multi-user security of Ed25519 (and X25519) is meaningfully on par with AES-256.

      As things stand today, the 128-bit symmetric cryptography "security level" is unbreakable. You would need to run the entire Bitcoin mining network for on the order of a billion years to brute force an AES-128 key.

      > Nowadays many prefer to use for encryption AES or similar ciphers with a 256-bit key, to guard against possible future advances, like the development of quantum computers.

      This is a common misunderstanding. So common that I once made the same mistake.

      128 bits are enough. https://words.filippo.io/post-quantum-age/#128-bits-are-enou...

      Grover's attack requires a quantum circuit size of 2^106.

      > In such cases, ED25519 remains the component with the lowest resistance against brute force, but it is less common to use something better than it because of the increase in computational cost for session establishment.

      I do not understand what this sentence is trying to say.