Hello to all, I fear that regarding the "Curve-popularity" data there might be too much of "opinion" and "company policies" and "government policies" around which IMHO can be an obstacle for constructive discussion. And it seems again to be a discussion between Short-Weierstrass curves on the one side and the modern Montgomery/Edwards curves on the other side.
I think that for getting forward, we probably best try to get a step back and try to formulate consensus on the actual requirements behind the reasonings and establish a clearer picture regarding the system architectures that people have in mind. In my perspective, the "security" space at least has at least 4 dimensions relevant here: - Firstly, the biggest security risk might be that no or worse crypto is used in an application (e.g. no ephemeral session keys instead of session-specific DH) because DH is considered to be too costly. - The second dimension might be that crypto is poorly implemented and implementation attacks become feasible. - The third dimension is the risk of hardware-side-channels and the risk of leaked private long-term keys. IMO this issue can only be resolved when using special hardware components for guarding and protecting the private keys and mandatory requires secure elements. - The fourth dimension is the fear regarding future QC attacks. In addition to these dimensions I believe that we need to consider where applications need to store their keys. For ephemeral session-key-related secrets I don't see the immediate use-case of storing the private keys in a secured hardware (TPM or Secure element). However this (IMHO) should really be different for all of the private long-term keys used for authenticating a session (e.g. server certificates). IMO its not only the fact that hardware elements can better protect the keys but good use of hardware-chips for authentication secrets also avoid slopply management of keys! Regarding curve popularity (unfortunately) most chipsets that offer hardware protection are using short-Weierstrass curves, however there are also newer chipsets which also support Ed25519 or Ed448 but that's currently not the majority. However this reasoning should (IMO) apply only to the authentication part of TLS and not regarding the session-key establishment (and DH). Actually in my opinion it is only the third dimension mentioned above in combination with today's restriction regarding secure-element chipsets from which an advantage for P-256 or P-384 shows up. In my system picture, we might best optimize future TLS for a distributed architecture with one or two CPUs for the crypto. One CPU A which manages the session-key establishment and bulk crypto (the main CPU of the system) and a second CPU B which handles the protocol parts for authentication which might come with hardware-level-security and a protected persistent storage for keys (possibly split off to a TPM or Secure element). As a result, I would suggest that regarding key-establishment one might be better off with promoting the newer and more efficient X25519 and X448 in combination with PQ-Algorithms for the CPU A part as this might optimize for the dimensions 1,2 and 4. Regarding the algorithms for the CPU B part, we probably should try to split off the algorithm requirements and run a separate assessment. The better current support for hardware-security for key storage which is a big plus for P-256 today for the CPU B parts. A big part of the discussion here might be that different people have different system architectures in mind. Yours, Björn. Mit freundlichen Grüßen | Best Regards Dr. Björn Haase Senior Expert Electronics | TGREH Electronics Hardware Endress+Hauser Liquid Analysis Endress+Hauser Conducta GmbH+Co. KG | Dieselstrasse 24 | 70839 Gerlingen | Germany Phone: +49 7156 209 10377 bjoern.ha...@endress.com | www.ehla.endress.com Endress+Hauser Conducta GmbH+Co.KG Amtsgericht Stuttgart HRA 201908 Sitz der Gesellschaft: Gerlingen Persönlich haftende Gesellschafterin: Endress+Hauser Conducta Verwaltungsgesellschaft mbH Sitz der Gesellschaft: Gerlingen Amtsgericht Stuttgart HRA 201929 Geschäftsführer: Dr. Manfred Jagiella Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben. Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis (https://www.endress.com/de/cookies-endress+hauser-website) nach. Disclaimer: The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such. _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
