Dan, > I'm still puzzled as to what led to the statement that I quoted at the beginning:
I was also hosting the same podcast you were quoting, and I believe we were also discussing _certificates_, which have the following breakdown according to Censys: SHA512-RSA 0.002% SHA384-RSA 4.6% ECDSA-SHA256 (P256) 5.3% ECDSA-SHA384 (P384) 7.5% SHA256-RSA 82.7% Notably, none of those are Curve25519 variants. I also find it odd, given that it's a conversational podcast, that you decided to take the comment out of context and single out "the TLS co-chair", in a quote that begins with "I don't have the numbers". Given your behavior on other lists, and the utter irrelevance of current popularity of curves to the introduction of a _new_ standard, I fail to see the purpose of this thread other than to harass one of the chairs, especially given that this episode was released 8 months ago. -dadrian On Mon, Jun 3, 2024 at 12:34 PM D. J. Bernstein <d...@cr.yp.to> wrote: > Thanks to Martin Thomson, Bas Westerbaan, and David Adrian for the > measurement data. I'm still puzzled as to what led to the statement that > I quoted at the beginning: > > P 256 is the most popular curve in the world besides the bitcoin > curve. And I don’t have head to head numbers, and the bitcoin curve > is SEC P, but P 256 is most popular curve on the internet. So > certificates, TLS, handshakes, all of that is like 70 plus percent > negotiated with the P 256 curve. > > Maybe the TLS co-chair has a comment? Again, I understand that > certificates haven't upgraded to allowing Ed25519 yet; my question is > about the "handshake", "internet", and "world" claims. > > In context, these popularity claims were presented as an argument for > regressing to P-256: "Should we still use 25519 for all new designs? Or > should we take seriously at the idea of using the P curves again? ... I > think we should take seriously because P 256 is the most popular curve > in the world besides the bitcoin curve." > > John Mattsson writes: > > If you are doing hybrid for reason number 1, and you are currently > > using P-384 or P-521 to get a higher security level, you likely want > > to continue to use P-384 or P-521. > > I agree that the obvious way to address the "Yikes this could be losing > security" objection to post-quantum rollout---which is a reasonable > objection both because of attacks against the math and because of > attacks against the software---is to have a hybrid choose whichever > pre-quantum system people were using already. > > However, endless combinations create their own slowdowns. If most > connections are using X25519 anyway, then what's best for fast rollout > is to get X25519+PQ moving as quickly as possible, not delaying that to > figure out what should be done for the fringe cases (maybe X448+PQ). > > > I think the NIST P-curves are well-designed for being published in > > 1998. > > No, the Montgomery ladder was already introduced in Montgomery's 1987 > paper. The speed and simplicity of the ladder were clear from the paper. > NSA's rationale for taking Weierstrass curves in Jacobian coordinates > was the false claim that this provides "the fastest arithmetic on > elliptic curves". That's a quote from IEEE P1363, so there can't have > been any serious review. See the "fake mathematics" section in > https://blog.cr.yp.to/20220805-nsa.html for another example. > > ---D. J. Bernstein > > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org >
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
