Does ECDSA provide better security than cryptography algorithms provided by PGP?


#1

Thanks in advance.


#2

ECDSA is an algorithm, PGP is a program.

A question that COULD be asked is - what is best out of ECDSA, RSA, DSA,
ED25519, or ECC in general. (The short answer to which is ED25519 wherever
possible, 4096bit RSA wherever not)
Similarly, prefer SHA-2 to SHA-1 and MD5 options. SHA256, 384 or 512.

For instance, this site:
https://stribika.github.io/2015/01/04/secure-secure-shell.html

About Secure shell, that goes through all the hashes and algorithms and
makes choices for SSH and why each one was chosen.

GNUPG 2.1.x supports ECC, 2.1.7 supports ED25519
https://www.gniibe.org/memo/software/gpg/keygen-25519.html

So the question “Is ECDSA better than PGP” doesn’t really make sense. But
I think the answer is: If you’re going to use GPG or PGP, don’t use DSA or
ECDSA (because DSA is old and low bitrate, and ECDSA uses NIST curves which
have been called into question). Use 4096 bit RSA keys for backwards
compatibility with GNUPG 2.0 as necessary, and ED25519 keys for new
support. Generate a master key, only use it to sign subkeys, and rotate
your subkeys as often as you need to to feel secure.

This is old, RSA based, but the procedure is still relevant - you’ll just
create an ed25519 in addition:
https://alexcabal.com/creating-the-perfect-gpg-keypair/

Based on your posts in this forum, you seem to be trying to roll your own
crypto. First rule of crypto is, don’t roll your own crypto. At least not
if you want it to be secure.

https://www.schneier.com/blog/archives/2011/04/schneiers_law.html

You’re better off choosing ANY solution that’s already written that
supports what you’re trying to accomplish, and making the most secure
choices that program allows. Ideally, a solution like GnuPG/PGP that’s
written and maintained by people who have focused on building crypto
solutions for many, many years… My preference being GnuPG because it’s
open source and can be independently audited.

Barring that, you could use the java Crypto interface or bouncy castle
libraries, but it’s really easy to get wrong and hard to get right. Or
just use cffile and Encrypt/Decrypt (but those keys are symmetric) .

-G


#3

Yeah, my bad for using inaccurate terms. Many thanks for your knowledgeable response.

I’d like to experiment with cryptocurrency but not to use Ethereum or the type and it’s not for zillions of me2 scam ICO type but rather when a company that truly delivers value with a product or service and it is exploring other types of funding including ICO I’d like to be able to help.