Eric Rescorla writes: > I'm struggling to understand what people think is at stake here.
The WG will soon be faced with decisions regarding which curve+PQ hybrids to recommend for TLS. Regarding the curve-choice part of that, some context factors that have been raised (such as interoperability and regulation) are starting with facts that are different in the hybrid context and the pure-curve context, and some technical considerations also vary (e.g., the byte cost of sending two shares rather than one is more of an issue when each share is curve+PQ than without PQ), while many other technical considerations are shared between the two contexts. Primarily because of the software-security advantages of X25519 over P-256, I would like to see TLS, and the ecosystem more broadly, moving towards eliminating P-256 in both contexts in favor of X25519. Getting X25519 widely deployed in TLS was already a multi-year project; further steps that would be helpful in the pure-curve context would be WG decisions to (1) make X25519 mandatory and then (2) make P-256 optional. The hybrid context will start with the question of what to recommend (I presume the WG will wait for PQ support in many more TLS stacks before making PQ mandatory), and in that context I think it'll be best for the WG to recommend X25519+PQ and not P-256+PQ. Meanwhile some arguments have been raised aiming at the opposite conclusion for hybrids, so it's good to figure out the reasons for the different conclusions. Overall I see the WG as being in a fact-finding phase regarding the underlying issues. I've found it very interesting to see the data points and considerations that people have posted, and for at least some issues there's progress towards a shared understanding that will help the WG make its curve decisions. ---D. J. Bernstein _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
