TL;DR: I'm assuming that if GnuPG made it a default then it should be what we use, but it used "bad" defaults in the past so I'm wondering if there are any tradeoffs to this? More specifically: is ECC 25519 sufficiently adopted by now so that it wouldn't give any compatibility issues as cited by some people in the last couple of years? And can we safely use ECC 25519 then?
Early on, GnuPG defaults weren't quite good, driving the creation of some hardening guides such as Riseup's OpenPGP best practices guide. Currently, however, that guide says we should stick to GnuPG's defaults:
This guide is deprecated, you only need to use the defaults because GnuPG is doing sane things. Just keep your software up-to-date. That is it, you are done! If you had previously tweaked your configurations, you should consider starting over with a base configuration, so you do not have outdated recommendations that are less secure than the defaults.
Over 3 years ago, this question was asked on which one to use on key generation - RSA or ECC, since there was the Curve 25519 option newly available (only NIST and Brainpools were available before that). The answer says either way is fine but that ECC still wasn't widely supported.
And 2 years ago, this question was asked to compare RSA 4096 vs ECC 25519. Both were said to be vulnerable to quantum computing in the answers, although some don't think that is a risk worthy of worrying about now. This post on CryptoStackExchange runs some comparisons.
As far as ECC security goes, the website SafeCurves by B. J. Bernstein compares the different curves. 25519 is apparently much more secure than the other 2 options GnuPG currently gives us (NIST P-384 and Brainpool P-256), so I'd assume 25519 to be secure.
But how does that compare with RSA? Before this new default, GnuPG used to recommend GnuPG 3072, and some people used to opt for 4096.
This more recent post from 2020 says either RSA or ECC should be fine, and that "it is a matter of opinion." I'm no expert but is it? There should be a better choice.
GnuPG's FAQ reads:
The future is elliptical-curve cryptography, which will bring a level of safety comparable to RSA-16384. Every minute we spend arguing about whether we should change the defaults to RSA-3072 or more is one minute the shift to ECC is delayed. Frankly, we think ECC is a really good idea and we’d like to see it deployed as soon as humanly possible.
Which they have now delivered.
My understanding after researching this, and considering that I am not a security or crypto expert, is that ECC 25519 and RSA 4096 would give comparable security, the only difference being the size -- ECC 25519 seems to be more space-efficient and smaller, and thus quicker. But there's the compatibility debate.
I'm assuming that if GnuPG made it a default then it should be what we use, but it used "bad" defaults in the past so I'm wondering if there are any tradeoffs to this? More specifically:
- Is ECC 25519 sufficiently adopted by now so that it wouldn't give any compatibility issues as cited by some in the last couple of years? And can we safely use ECC 25519 then?
