Information about the popularity of specific cryptosystems plays a role
in decisions of what to standardize and deploy. I've been pointed to a
surprising statement (quoted below) regarding popularity of curves, in
particular in TLS handshakes. The statement is from one of the current
TLS co-chairs, a month before the co-chair appointment. I'm wondering
what data the statement is based on; the statement doesn't have a
description of the data sources, and the statement seems impossible to
reconcile with various public statements that have clear data sources.
A specific reason that I'd like to resolve this is that I'm concerned
about the impact on post-quantum deployment. To explain:
* We're failing to protect confidentiality of most user data against
future quantum attacks---but switching to a post-quantum system has
an unacceptably high chance of making security even worse. See
https://cr.yp.to/papers.html#qrcsp for how much has been broken.
* The obvious path forward is to immediately roll out ECC+PQ hybrids,
as illustrated by X25519+sntrup761 in OpenSSH, X25519+ntruhrss701
in ALTS, X25519+kyber768 in https://blog.cloudflare.com/pq-2024,
X25519+kyber512 in
https://engineering.fb.com/2024/05/22/security/post-quantum-readiness-tls-pqr-meta/,
etc. Then we're not making security worse, and _hopefully_ we're
making it better.
* This still leaves the challenge of minimizing post-quantum risks.
That's hard enough without the combinatorial explosion of combining
each post-quantum option with a profusion of curves. Adding many
curve choices is the sort of thing that _sounds_ simple until you
start writing software, tests, etc. (I designed X25519 after
suffering through implementing an example of NSA/NIST ECDH; see
https://cr.yp.to/nistp224.html and the accompanying talks. NSA's
harder-to-implement approach to ECC also ends up more likely to
fail later; see, e.g., https://blog.cr.yp.to/20191024-eddsa.html.)
Here's the specific statement I'm asking about:
P 256 is the most popular curve in the world besides the bitcoin
curve. And I donât have head to head numbers, and the bitcoin curve
is SEC P, but P 256 is most popular curve on the internet. So
certificates, TLS, handshakes, all of that is like 70 plus percent
negotiated with the P 256 curve.
Last I heard, _certificates_ hadn't upgraded to allowing Ed25519 yet.
My question is about the "handshake" claim, and more broadly about the
"internet" and "world" claims.
Examples of why I find the above TLS-handshake claim surprising:
* https://blog.cloudflare.com/towards-post-quantum-cryptography-in-tls/
(2019) says that "the most commonly used key exchange algorithm
(according to Cloudflare's data) is the non-quantum X25519".
* https://blog.cloudflare.com/post-quantum-for-all/ (2022) says that
"Almost every server supports the X25519 key-agreement and almost
every client (98% today) sends a X25519 keyshare."
* https://eprint.iacr.org/2023/734 recorded TLS connections from many
different apps and noted that X25519 was used in "the vast majority
of the recorded handshakes".
* https://blog.cloudflare.com/pq-2024 says "Today almost all traffic
is secured with X25519, a DiffieâHellman-style key agreement".
* The handshake simulations in, e.g.,
https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=142.250.217.142&hideResults=on&ignoreMismatch=on
show current browsers using X25519 (while showing older client
software using P-256). Clicking on random servers listed on the
same site also consistently shows X25519.
To be clear, this isn't saying that _all_ handshakes are using X25519.
NIST didn't manage to standardize Ed25519 until 2023, and still hasn't
managed to standardize X25519, so probably it's not too hard to find
servers that insist on P-256 for "FIPS compliance". I figured I'd be
able to give easy examples of this by trying nist.gov and nsa.gov---
https://web.archive.org/web/20240602150722/https://www.ssllabs.com/ssltest/analyze.html?d=nist.gov&s=129.6.13.49
https://web.archive.org/web/20240602151119/https://www.ssllabs.com/ssltest/analyze.html?d=nsa.gov
---but it turns out that both of them end up using X25519, unless you're
connecting to nsa.gov with a client that doesn't support TLS 1.3.
More broadly, Nicolai Brown's pages
https://ianix.com/pub/curve25519-deployment.html
https://ianix.com/pub/ed25519-deployment.html
include a long list of applications of X25519 and Ed25519. Spot-checks
confirm the overall accuracy of the list, and find many applications
where Curve25519 is the only curve, including big applications such as
WhatsApp and WireGuard.
I'm also aware of some applications where P-256 is the only option. I
would guess that https://security.apple.com/blog/imessage-pq3/ is now
the biggest P-256 application. But I don't know how one would reach a
conclusion that "P 256 is most popular curve on the internet".
---D. J. Bernstein
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
