Dennis Jackson writes: > Especially when the referenced comment was unconnected to any active > discussion within the WG or decisions made by the chairs.
Hybrids are an ongoing topic of active discussion within the WG, with hundreds of messages on the WG mailing list in the past year (including 18 from me before this thread) that simultaneously mention post-quantum crypto and X25519. Beyond X25519 hybrids, there have been proposals to use, or at least allow, other curves in hybrids. It's clear that the WG will end up deciding what exactly to do for TLS. I designed X25519 in the first place to address various problems created by the NSA/NIST curves. Subsequent research has found even more reasons to recommend X25519 over P-256. So, of course, I recommend focusing on X25519 as the default curve for hybrids, as in the PQ deployment in OpenSSH, ALTS, etc., rather than using P-256 as in PQ3. (Sure, NIST took until 2023 to standardize Ed25519 and still hasn't standardized X25519. But my understanding is that NIST allows X25519+PQ when the PQ part is a NIST standard. More fundamentally, I think NIST standards shouldn't be allowed to drag down IETF standards---this would have stopped TLS from using X25519 in the first place!) Recently some people have instead been advocating P-256 over X25519--- not just for TLS, but certainly including TLS. See, e.g., the WG email dated 02 Jun 2024 23:02:39 +0200, confirming that there was already a plan to raise this on the WG list: I actually meant to bring this up ... it would actually make my life much easier if the one universal hybrid (and/or default client key share) was P-256+ML-KEM-768. I had, obviously before seeing that email, been pointed to a statement from October of one of the explicit rationales for considering P-256: Should we still use 25519 for all new designs? Or should we take seriously at the idea of using the P curves again? ... I think we should take seriously because P 256 is the most popular curve in the world besides the bitcoin curve. And I donât have head to head numbers, and the bitcoin curve is SEC P, but P 256 is most popular curve on the internet. So certificates, TLS, handshakes, all of that is like 70 plus percent negotiated with the P 256 curve. That was in another venue. That venue isn't a mailing list allowing open discussion. The TLS WG mailing list is an obvious venue for discussion: the source was appointed TLS co-chair in November; the quote mentions specifically "TLS, handshakes"; and, again, the TLS WG is certainly going to be taking action here. So I'm baffled at the notion that this is off topic for the TLS WG. I started this thread explicitly asking for the basis for the "world", "internet", and "handshake" popularity claims quoted above. I would expect the response to simply be a pointer to the data source (or a retraction of the claims if they aren't based on data), so that subsequent decisions can take that information into account. The TLS measurements that have been posted to the list so far are all very far from the "70 plus percent" claim, but they also have noticeable differences from each other (e.g., P-256 is reportedly 15% of the curves selected by Chrome handshakes on Windows, while other reports give much smaller percentages of handshakes selecting P-256), so it seems possible that the claims are coming from different measurements. Such divergence would be very interesting to study. ---D. J. Bernstein
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org