5. EC will be (fully) implemented soon
What curve?
NIST P256 (NID_X9_62_prime256v1), so 256Bit strength should be somewhat like 3072Bit RSA
EC is implemented now. Just need to check a bit if everything runs fine.
Argh .. after all the Snowden revelation, should we really trust Nist curves?
http://cybermashup.com/2014/03/01/the-nsa-conference/Boneh pointed out the unknown original of the constants in NISTs P256 curve and discussed various ways to backdoor a crypto scheme;
It's not worth the risk! Find a high quality C++ library for ed25519 ..
Would it be hard to switch to this?
https://github.com/floodyberry/ed25519-donnaAlright thanks for pointing out that concerns! I must admit that we are not that familiar with EC (of course we heard about it, disadvantages and advantages over RSA etc, but no indepth mathematical background information about EC like we have about RSA). Also was not aware that a Nist curve can be a security issue regarding NSA backdoors (and if NSA has any backdoor some hacker might get them as well).
To shortcut it: I was able to build ed25519-donna against openSSL and looked over the donna docu. So I would say that the further implementation would not take any longer than a hour.
However I am not that convinced that this donna build is safe. I do not know how trustworthy their developers are. Do you have more information about that? Also I think openSSL 1.2 will provide brainpool curves soon (not sure when). That might be an option as well since they should be randomly choosen curves (so there could not be a special backdoor for a specific curve), don't you think?
In the end we might just offer you (the user of the program in this meaning) to individually choose before address creation between NIST EC using openSSL, ed25519 using donna/OpenSSL or RSA using openSSL and - if present and easy to implement - brainpool curves later on. Right now all addresses already store an enum called keyType. The type already gets distributed to the network for verification (keytype-switch'ed) process (at the moment: rsa2048 or that nist curve). You could use a different keytype for every different address in your wallet this way.
Would that fit? If so, we would publish the EC/RSA sign/verify code parts in our wiki soon so everyone can check those parts.
