Thanks to Martin Thomson, Bas Westerbaan, and David Adrian for the measurement data. I'm still puzzled as to what led to the statement that I quoted at the beginning:
P 256 is the most popular curve in the world besides the bitcoin curve. And I donât have head to head numbers, and the bitcoin curve is SEC P, but P 256 is most popular curve on the internet. So certificates, TLS, handshakes, all of that is like 70 plus percent negotiated with the P 256 curve. Maybe the TLS co-chair has a comment? Again, I understand that certificates haven't upgraded to allowing Ed25519 yet; my question is about the "handshake", "internet", and "world" claims. In context, these popularity claims were presented as an argument for regressing to P-256: "Should we still use 25519 for all new designs? Or should we take seriously at the idea of using the P curves again? ... I think we should take seriously because P 256 is the most popular curve in the world besides the bitcoin curve." John Mattsson writes: > If you are doing hybrid for reason number 1, and you are currently > using P-384 or P-521 to get a higher security level, you likely want > to continue to use P-384 or P-521. I agree that the obvious way to address the "Yikes this could be losing security" objection to post-quantum rollout---which is a reasonable objection both because of attacks against the math and because of attacks against the software---is to have a hybrid choose whichever pre-quantum system people were using already. However, endless combinations create their own slowdowns. If most connections are using X25519 anyway, then what's best for fast rollout is to get X25519+PQ moving as quickly as possible, not delaying that to figure out what should be done for the fringe cases (maybe X448+PQ). > I think the NIST P-curves are well-designed for being published in > 1998. No, the Montgomery ladder was already introduced in Montgomery's 1987 paper. The speed and simplicity of the ladder were clear from the paper. NSA's rationale for taking Weierstrass curves in Jacobian coordinates was the false claim that this provides "the fastest arithmetic on elliptic curves". That's a quote from IEEE P1363, so there can't have been any serious review. See the "fake mathematics" section in https://blog.cr.yp.to/20220805-nsa.html for another example. ---D. J. Bernstein
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
