2024-06-03 14:38 GMT+02:00 Bas Westerbaan <bas=40cloudflare....@dmarc.ietf.org>:
> We're not just a server, but also a client proxying requests to our
> customer's origins. We routinely scan customer's origin servers for their
> support of keyshares. [...]
>
> We also measure server support for each. (We send just the single keyshare
> for the group and only advertise support for that group.)
>
> 97.6% P-256
> 97.0% X25519
> 94% P-384
> 89% P-521
> 0.54% X25519Kyber768
Thank you for collecting and sharing these numbers! I think this here is the
most interesting bit in terms of curve popularity, since any difference in CPU
time is ultimately marginal compared to the cost of a HRR. It looks like X25519
and P-256 are approximately as popular, as expected, but {P-256,
P-256+ML-KEM-768} would save a round-trip compared to {X25519,
X25519+ML-KEM-768} for one connection every ~170 (on top of the
complexity/maintenance advantage of reusing the certificate signature
implementation)._______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
