On Thu, 13 Sep 2018, Joseph S. Testa II wrote: > Hi all, > > I'm interested in having X448 protocol available as an option, as it gives > a larger security margin over X25519. For anyone unfamiliar, it is an > Diffie-Hellman elliptic curve key exchange using Curve448 (defined in RFC7748: > https://tools.ietf.org/html/rfc7748). Furthermore, it is included in the new > TLS 1.3 specification (RFC8846: https://tools.ietf.org/html/rfc8446). > > A few questions: > > 1. What has been OpenSSH's involvement in this related IETF draft, if > any?: https://tools.ietf.org/id/draft-ietf-curdle-ssh-curves-08.html > > 2. Has there been any (even informal) plans for including X448? > > 3. Has anyone begun an implementation yet? We have any plans to add more crypto options to OpenSSH without a strong justification, and I don't see one for X448-SHA512 ATM. It's hard to imagine a world where X25519-SHA256 is broken but X448-SHA512 is unaffected. AFAIK The most likely ways that X25519-SHA256 could fail are: 1) discovery of weaknesses in prime field EC crypto. This would almost certainly affect both X25519/X448. 2) working quantum computers. Exciting times, everything breaks. 3) a weakness in SHA256. Online key agreement protocols like SSH KEX are the last thing affected by collisions, because the attacker has such a limited window in which to generate one and limited degrees of freedom to manipulate the colliding data. Personally, I'm more interested in a post-quantum KEX than another of the same species... -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev