X448 Key Exchange (RFC 8731)

Joseph S. Testa II jtesta at positronsecurity.com
Sat Jul 4 04:11:51 AEST 2020

Hi all,

    Back in September 2018, I started a thread about implementing the 
X448 key exchange (see 

    In February 2020, RFC 8731 (formally specifying X448 in SSH) has 
been finalized: https://www.ietf.org/rfc/rfc8731.txt.  I thought I'd 
start this conversation up again to see if the interest level has 
changed for implementing this in OpenSSH.

    During the last conversation, the point was brought up that 
post-quantum crypto would be more interesting than X448.  Well in almost 
two years, I have yet to personally gain faith in any new post-quantum 
algorithm.  Meanwhile, X448 has been a part of TLS 1.3 since August 2018 
and has been through much more testing.

    Not only am I still interested in using X448 since it provides ~224 
bit security level, but I'd still be happy to write the initial 
implementation for it as well.  I'd need assurance that it has a chance 
of being merged before I get started on it, however.

    - Joe

Joseph S. Testa II
Founder & Principal Security Consultant
Positron Security

More information about the openssh-unix-dev mailing list