Score penalty while using ssl_ecdh_curve X25519

[sebdanielsson]

When configuring NGINX with ssl_ecdh_curve X25519:secp384r1; you currently get a score penalty of 10% compared to using only ssl_ecdh_curve secp384r1;

Is there a reason for this?

[ArchangeGabriel]

Yes, X25519 is a ~128 bits key, and you need min ~256 bits keys to get 100 % according to the current scoring. If you want an Ed curve, the one you have to use is X448 but it is not widely supported.

[lilyanatia]

X25519 is a ~128 bits key

no, it isn't.

and you need min ~256 bits keys to get 100 % according to the current scoring

no, the requirement for 100% is higher than 256 bits.

[ArchangeGabriel]

@hotaru2k3 Please prove me wrong. The author himself says Curve25519 is around 128 bits of security:

High security level. This system has a 2^128 security target; breaking it has similar difficulty to breaking NIST P-256, RSA with ~3000-bit keys, strong 128-bit block ciphers, etc. The best attacks known actually cost more than 2^140 bit operations on average, and degrade quadratically in success probability as the number of bit operations drops.

Same for Curve448, which is more precisely around ~224 bits. This article also gets into more details about the 128 bits security of curves like 25519.

[lilyanatia]

@ArchangeGabriel if the key was only 128 bits, the security level would be 64 bits, which would be obviously insecure.

[ArchangeGabriel]

OK, sorry if I was unclear before, I meant 128 bits AES-equivalent. Just as RSA 2048 is for instance.