ECC Safety and documentation recommendations

[philtreF]

Hi there,

I am not at all a cryptography expert.
However I heard about safe and unsafe Elliptic Curves. When following that documentation there is a recommendation for P-256 / prime256v1 / secp256r1 which is unsafe according to this website.

• With better and better Elliptic Curve Cryptography support on end devices, shouldn't the documentation move to Curve25519 recommendation?
• Before changing anything, can someone double-check what I found as I am unsure about what I read and understand?

Fred

[primetomas]

This is a rather academic debate. Unsafe in that definition dies not mean unsecure. While there was an argument from some for other curves, the vast majority of applications use P-256. For many applications P-256 is mandated, for example eCharging for electric vehicles, or web browsers and web servers. See for example section 6.1.5 in the CA/B Forum Baseline Requirement.
ECDSA with NIST curves is currently, I would state, the only EC combination that will give you maximum interoperability across applications, libraries and operating systems.

Curve25519 is used in Ed25519, so if you want to use that you should use EdDSA (Ed25519 or Ed448) instead of ECDSA. There is absolutely no movement to use Curve25519 in ECDSA.

The migration to other algorithms is now focusing on migrating to post-quantum cryptographic algorithms. See for examample NIST IR 8547 (draft). ECDSA and EdDSA will be replaced by new algorithms, currently ML-DSA being the preferred one (also available in EJBCA).

[philtreF]

Wow thank you for that comprehensive answer!
I have no other questions. Thank you.