Hello TAG!

I'm requesting a TAG review of adding support for Curve25519 in WebCrypto.

Today web developers are getting around the unavailability of Curve25519 in browser by either including an implementation of its operations in JavaScript or compiling a native one into WebAssembly. Aside from wasting bandwidth shipping algorithms that are already included in browsers that support TLS 1.3, this practice also has security implications, e.g. side-channel attacks as studied by Daniel Genkin et al.

• Explainer (minimally containing user needs and example code): https://github.com/tQsW/webcrypto-curve25519/blob/master/explainer.md
• Security and Privacy self-review: https://github.com/tQsW/webcrypto-curve25519/issues/1
• GitHub repo (if you prefer feedback filed there): https://github.com/tQsW/webcrypto-curve25519
• Primary contacts (and their relationship to the specification):
  • Qingsi Wang @tqsw, Google
• Organization/project driving the design: WebCrypto
• External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): Not yet available

Further details:

• I have reviewed the TAG's API Design Principles
• The group where the work on this design is being done (or is intended to be done in the future): WebCrypto WG
• Existing major pieces of multi-stakeholder review or discussion of this design: N/A
• Major unresolved issues with or opposition to this design: N/A
• This work is being funded by: N/A

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback