Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Intent to Ship: X25519 algorithm of the Web Cryptography API

378 views
Skip to first unread message

Javier Fernandez

unread,
Nov 22, 2024, 5:46:22 AM11/22/24
to blink-dev

Contact emails

jfern...@igalia.com

Explainer

https://github.com/WICG/webcrypto-secure-curves/blob/main/explainer.md

Specification

https://wicg.github.io/webcrypto-secure-curves/#x25519

Design docs

https://docs.google.com/document/d/1fDTUY3HVAXehi-eSfbi7nxh8ZPw4MpSKM8U1fMdqJlU/edit?tab=t.0#heading=h.9w6b5q5ro96v

Summary

The "X25519" algorithm provides tools to perform key agreement using the X25519 function specified in [RFC7748]. The "X25519" algorithm identifier can be used in the SubtleCrypto interface to access the implemented operations: * generateKey * importKey * exportKey * deriveKey * deriveBits



Blink component

Blink>WebCrypto

Search tags

webcrypto

TAG review

https://github.com/w3ctag/design-reviews/issues/466

TAG review status

Issues addressed

Risks



Interoperability and Compatibility

The feature is implemented in Safari and Firefox so the interoperability risk is low.



Gecko: Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1904836)

WebKit: In development (https://bugs.webkit.org/show_bug.cgi?id=258279)

Web developers: No signals

Other signals:

Ergonomics

This feature depends on the underlying crypto APIs provided by the browser, which nowadays are provided by the BoringSSL compnent.



Activation

No activation risks are identified.



Security

This feature doesn't imply additional security risks, beyond the ones defined in the Security Considerations of the Web Cryptography API specification. https://www.w3.org/TR/WebCryptoAPI/#security-considerations



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

The X25519 feature has good coverage by the WPT WebCryptpAPI test suite: https://wpt.fyi/results/WebCryptoAPI?label=experimental&label=master&aligned



Flag name on about://flags

None

Finch feature name

WebCryptoCurve25519

Requires code in //chrome?

False

Tracking bug

https://issues.chromium.org/issues/378856322

Sample links


https://github.com/WICG/webcrypto-secure-curves/blob/main/explainer.md

Estimated milestones

Shipping on desktop 133
Shipping on Android 133
Shipping on WebView 133
Shipping on iOS 133


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).

None

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/6291245926973440?gate=5086894952808448

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/n0uKIqfypW0/m/xu5UBbaBAwAJ


This intent message was generated by Chrome Platform Status.

Domenic Denicola

unread,
Nov 24, 2024, 11:57:23 PM11/24/24
to Javier Fernandez, blink-dev
Has there been any attempt to merge this into the main Web Crypto specification? It's best to avoid monkey patch specifications, and if this is indeed implemented in two browsers, that merger should be relatively easy.
 


Design docs

https://docs.google.com/document/d/1fDTUY3HVAXehi-eSfbi7nxh8ZPw4MpSKM8U1fMdqJlU/edit?tab=t.0#heading=h.9w6b5q5ro96v

Summary

The "X25519" algorithm provides tools to perform key agreement using the X25519 function specified in [RFC7748]. The "X25519" algorithm identifier can be used in the SubtleCrypto interface to access the implemented operations: * generateKey * importKey * exportKey * deriveKey * deriveBits



Blink component

Blink>WebCrypto

Search tags

webcrypto

TAG review

https://github.com/w3ctag/design-reviews/issues/466

TAG review status

Issues addressed

Risks



Interoperability and Compatibility

The feature is implemented in Safari and Firefox so the interoperability risk is low.



Gecko: Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1904836)

WebKit: In development (https://bugs.webkit.org/show_bug.cgi?id=258279)

Web developers: No signals

Why are we shipping this if no web developers are interested in using it?
 
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/577e4b0b-bc9c-4d7a-90a6-dbd25c3318b3%40igalia.com.

Javier Fernandez

unread,
Nov 25, 2024, 4:34:17 AM11/25/24
to Domenic Denicola, blink-dev

Hi Domenic,

On 25/11/24 5:56, Domenic Denicola wrote:


On Fri, Nov 22, 2024 at 7:46 PM Javier Fernandez <jfern...@igalia.com> wrote:

Has there been any attempt to merge this into the main Web Crypto specification? It's best to avoid monkey patch specifications, and if this is indeed implemented in two browsers, that merger should be relatively easy.
 


Yes, there is a PR [1] that has been approved by Mozilla and Apple, and we are waiting for someone from Chrome to follow. It was also discussed in a WebAppSec WG meeting 2 months ago, when some issues were identified; those were already addressed, so I believe it's ready to be merged.

[1] https://github.com/w3c/webcrypto/pull/362

Daniel Huigens

unread,
Nov 25, 2024, 9:43:05 AM11/25/24
to blink-dev, Domenic Denicola, Javier Fernandez, blink-dev
Hi Domenic (and Javier),

On Monday, November 25 2024 at 05:57:23 UTC+1, Domenic Denicola wrote:
Web developers: No signals

Why are we shipping this if no web developers are interested in using it?

There are positive signals from web developers here: https://github.com/w3c/webcrypto/issues/196.
The IPFS project is also interested, for example: https://github.com/ipfs/in-web-browsers/issues/204.
And, speaking with developer-hat rather than draft-author-hat, Proton is also interested in using this :)
I'm quite confident there are many others, as X25519 is very widely used.
Even in the transition to post-quantum cryptography, X25519 is often (proposed to be) used in a hybrid construction, as in https://www.ietf.org/archive/id/draft-connolly-cfrg-xwing-kem-06.html, for example.

Best,
Daniel


---

Daniel Huigens
Cryptography Team Lead
Proton AG

Domenic Denicola

unread,
Nov 26, 2024, 12:09:49 AM11/26/24
to Javier Fernandez, David Benjamin, Domenic Denicola, blink-dev
Awesome, thank you! +David Benjamin, do you have any concerns about whether the spec PR is at a sufficient level of detail to achieve interoperability? It seems like it's gone through a good amount of review to me, so I'm inclined to approve as an API owner, but if you have time to chime in that would be helpful to confirm.

Javier, can you speak to whether there's web platform test coverage for the tricky issues that were discussed on the PR, e.g. the three listed in your last comment?
 

Javier Fernandez

unread,
Nov 26, 2024, 4:12:25 AM11/26/24
to blin...@chromium.org

Hi.


Javier, can you speak to whether there's web platform test coverage for the tricky issues that were discussed on the PR, e.g. the three listed in your last comment?
 


First of all, the PR is to merge both X25519 and Ed25519 algorithms. This intent is just for the X25519, since the Ed25519 is still not ready and needs more spec work. We all think that this work can be done as part of the new Web Cryptography spec draft.

The dertiveBits interop issue is the only one affecting the X25519 algorithm. There were already tests, but I have added a few more as part of bug fixes on the different browsers (mostly Firefox and Safari). I'm pretty sure we have good coverage on this issue already.

Let me use the email to clarify the other issues that were identified as part of the PR discussion. Regarding the small-order checks, I have added tests cases to cover the most important uses of small-order points. We could add more if we want to be exhaustive.

Finally, the random EdDSA signatures is still not clear enough to define tests, IMHO. We had some in the past, which were useful to detect the interop issue with WebKit. However, since WebKit considers this feature mandatory, we have removed the tests that checked for a deterministic signature. The Secure Curves spec doesn't explicitly states that the signatures must be deterministic; it just refers to the  RFC8032 paper where the Ed25519 signing algorithm is specified. The CFRG has discussed this issue and they are considering to take on a -bis document to modify the Ed25519 algorithm, but we reached a consensus in the PR that we can merge the current text, registering the issues about small-order points and randomized signatures, and work on them as part of the Web Crypto spec draft.





Domenic Denicola

unread,
Dec 1, 2024, 9:11:41 PM12/1/24
to Javier Fernandez, blin...@chromium.org
Thanks for taking the time to answer all my questions. LGTM1.

Please continue working on getting the spec PR merged, although I understand that's waiting on reviewers so is largely out of your control.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Rick Byers

unread,
Dec 2, 2024, 11:13:59 AM12/2/24
to Domenic Denicola, Javier Fernandez, blin...@chromium.org

Mike Taylor

unread,
Dec 2, 2024, 8:49:26 PM12/2/24
to Rick Byers, Domenic Denicola, Javier Fernandez, blin...@chromium.org

Javier Fernandez

unread,
Dec 5, 2024, 11:32:31 AM12/5/24
to blin...@chromium.org

Hi,

Thank you all for reviewing the request.

I just wanted to inform that the PR to add the X25519 and Ed25519 into the WebCrytpo specification has been merged already.

https://github.com/w3c/webcrypto/pull/362#issuecomment-2519927404

Rick Byers

unread,
Dec 5, 2024, 12:56:37 PM12/5/24
to Javier Fernandez, blin...@chromium.org
Perfect, thanks for the update Javier!

Reply all
Reply to author
Forward
0 new messages