X448 Key Exchange

Damien Miller djm at mindrot.org
Fri Sep 14 10:18:06 AEST 2018

On Thu, 13 Sep 2018, Joseph S. Testa II wrote:

> Hi all,
>    I'm interested in having X448 protocol available as an option, as it gives
> a larger security margin over X25519.  For anyone unfamiliar, it is an
> Diffie-Hellman elliptic curve key exchange using Curve448 (defined in RFC7748:
> https://tools.ietf.org/html/rfc7748).  Furthermore, it is included in the new
> TLS 1.3 specification (RFC8846: https://tools.ietf.org/html/rfc8446).
>    A few questions:
>      1. What has been OpenSSH's involvement in this related IETF draft, if
> any?: https://tools.ietf.org/id/draft-ietf-curdle-ssh-curves-08.html
>      2. Has there been any (even informal) plans for including X448?
>      3. Has anyone begun an implementation yet?

We have any plans to add more crypto options to OpenSSH without a strong
justification, and I don't see one for X448-SHA512 ATM.

It's hard to imagine a world where X25519-SHA256 is broken but
X448-SHA512 is unaffected. AFAIK The most likely ways that X25519-SHA256
could fail are:

1) discovery of weaknesses in prime field EC crypto. This would almost
certainly affect both X25519/X448.

2) working quantum computers. Exciting times, everything breaks.

3) a weakness in SHA256. Online key agreement protocols like SSH KEX are
the last thing affected by collisions, because the attacker has such a
limited window in which to generate one and limited degrees of freedom
to manipulate the colliding data.

Personally, I'm more interested in a post-quantum KEX than another of the
same species...


More information about the openssh-unix-dev mailing list