Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft-irtf-cfrg-ristretto255-decaf448-08> for your review
Colin Perkins <csp@csperkins.org> Thu, 26 October 2023 07:33 UTC
Return-Path: <csp@csperkins.org>
X-Original-To: auth48archive@ietfa.amsl.com
Delivered-To: auth48archive@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDCB3C15108F; Thu, 26 Oct 2023 00:33:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=csperkins.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jxsdaXBFQAmv; Thu, 26 Oct 2023 00:33:12 -0700 (PDT)
Received: from mx2.mythic-beasts.com (mx2.mythic-beasts.com [IPv6:2a00:1098:0:82:1000:0:2:1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77C09C14CE3B; Thu, 26 Oct 2023 00:33:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=csperkins.org; s=mythic-beasts-k1; h=Date:Subject:To:From; bh=pba6flAe9vG6jYXdTPQjefHZITYCK8ijXdCfRBsu2qM=; b=K1GHN5uzuXlIuZkTglug/6AN3C Zofu60sNuW+95vH1bOh1bq7woZFjKp1VNNE0Gx2DsnpVmYdc6edIMn5GQjS24idLs9rB6pKw1vGdF Z6lj1yJjuGr0FaRps1tvc1aXBczQJ8bmBxzZ0yfvAjsjn1VpUP8MSNkmqw2n63I+8zUIXFBjJMon4 8Oht13StxSqB97DuOJCcTTbkwO9M6pjfd/w8Zx/QrCQvBY0RLrNoc0gbpW8o+xfH3KN+ychjQIhcF mYufF+7oQ0ALBWkbW4Dyitf3v1K+ROjOaXyDcc+gt31xVANw+TeK7zpmnvCEz4W7kzmyV+CLec4Bc pDt6RVGg==;
Received: by mailhub-hex-d.mythic-beasts.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <csp@csperkins.org>) id 1qvurW-00Dved-0Y; Thu, 26 Oct 2023 08:33:02 +0100
From: Colin Perkins <csp@csperkins.org>
To: Jack Grigg <ietf@jackgrigg.com>
Cc: Sandy Ginoza <sginoza@amsl.com>, ietf@shiftleft.org, ietf@filippo.io, ietf@gtank.cc, auth48archive@rfc-editor.org, ietf@hdevalence.ca, irsg@irtf.org, ietf@en.ciph.re, RFC Editor <rfc-editor@rfc-editor.org>
Date: Thu, 26 Oct 2023 08:32:37 +0100
X-Mailer: MailMate (1.14r5998)
Message-ID: <D5D50F18-1D1B-4AD8-8D09-D317586159BF@csperkins.org>
In-Reply-To: <CAPC=aNVbYSFhVte1MfDyx7=jN2Cz1jgORN_nKoGoxrt0qZkRVA@mail.gmail.com>
References: <20231013234718.C898513BB4C3@rfcpa.amsl.com> <CAPC=aNVj8KgnWQZccZmKB_6+YDQS36RpN_JDwfycQL2+dBx=9g@mail.gmail.com> <123B0C81-E529-4928-88DA-30C6BB6FCBC4@amsl.com> <CAPC=aNVbYSFhVte1MfDyx7=jN2Cz1jgORN_nKoGoxrt0qZkRVA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_BA4E88C0-A557-46B9-9276-8E7A01D4CE8B_="
Embedded-HTML: [{"plain":[248, 15422], "uuid":"6FF10A0B-A444-4D5E-861C-906A72023CFB"}]
X-BlackCat-Spam-Score: 24
Archived-At: <https://mailarchive.ietf.org/arch/msg/auth48archive/FTx_3dcsjCjfjdkQu0DiqW7K8SY>
Subject: Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft-irtf-cfrg-ristretto255-decaf448-08> for your review
X-BeenThere: auth48archive@rfc-editor.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Archiving AUTH48 exchanges between the RFC Production Center, the authors, and other related parties" <auth48archive.rfc-editor.org>
List-Unsubscribe: <https://mailman.rfc-editor.org/mailman/options/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/auth48archive/>
List-Post: <mailto:auth48archive@rfc-editor.org>
List-Help: <mailto:auth48archive-request@rfc-editor.org?subject=help>
List-Subscribe: <https://mailman.rfc-editor.org/mailman/listinfo/auth48archive>, <mailto:auth48archive-request@rfc-editor.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2023 07:33:17 -0000
Hi, The consensus attribute does have meaning for the IRTF stream and selects between two different versions of the boilerplate. https://www.rfc-editor.org/styleguide/headers-and-boilerplate/ Colin On 26 Oct 2023, at 4:22, Jack Grigg wrote: > Hi, > > On Tue, Oct 24, 2023 at 10:22 AM Sandy Ginoza <sginoza@amsl.com> > wrote: > >> Hi Authors, >> >> Jack, thank you for your reply - please send along comments and >> updates >> from your review once complete. >> > > Apologies for the delay on this; I got COVID for the first time a few > weeks > ago, and my "next week" was entirely too optimistic about how quickly > I'd > recover. I'm about half-way through my final review, and will > hopefully > complete it in the next few days. > > Part of my review process involved porting the RFC Editor changes to > our > reference Markdown source code, and regenerating the XML from that > with > mmark. I have found a few differences between what the RFC Editor > provided > and what mmark generates; some of them are just formatting (or > generation > of empty blocks), and some of them look like bugs or unimplemented > features > in mmark (for which I am opening issues). There is one point I am > unclear > on however, that I would like to clarify. > > The RFC Editor changed the document stream metadata from IETF to IRTF, > and > also added the attribute consensus = "true". mmark only adds the > consensus > attribute for documents in the IETF stream > <https://github.com/mmarkdown/mmark/blob/3d25d9375c96315e75624f8f5b9d814d870e35fe/render/xml/title.go#L46-L52> > . > RFC 7991 doesn't say > <https://datatracker.ietf.org/doc/html/rfc7991#section-2.45.2> whether > the > consensus attribute is stream-dependent, and points to RFC 7841, which > in > an appendix > <https://datatracker.ietf.org/doc/html/rfc7841#appendix-A.2.2> > appears to indicate that consensus language can be present for IRFT > stream > documents. Is it intended that the consensus attribute be used with > IRTF > stream documents (i.e. is this a bug in mmark)? > > >> >> Authors, please review the document and let us know if any updates >> are >> needed. >> > > Once my review is complete, I will reply here with both the generated > XML, > and links to the GitHub repo with diffs of all formats. > > Cheers, > Jack > > >> >> Thank you, >> RFC Editor/sg >> >>> On Oct 13, 2023, at 10:36 PM, Jack Grigg <ietf@jackgrigg.com> wrote: >>> >>> Hi all, >>> >>> Thank you RFC Editor/sg/ap for your work! I will perform my final >>> review >> next week, but in the interim I can respond to some of the questions. >>> >>> For clarity, this email is NOT suggesting any immediate changes to >>> the >> text (I will make my own suggestions after my review). >>> >>> On Sat, Oct 14, 2023 at 12:47 PM <rfc-editor@rfc-editor.org> >>> wrote: >>> Authors, >>> >>> While reviewing this document during AUTH48, please resolve (as >> necessary) the following questions, which are also in the XML file. >>> >>> 1) <!-- [rfced] Please insert any keywords (beyond those that appear >>> in >> the title) for use on https://www.rfc-editor.org/search. --> >>> >>> >>> 2) <!-- [rfced] Please ensure that the guidelines listed in Section >>> 2.1 >> of RFC 5743 >>> have been adhered to in this document. See >>> https://www.rfc-editor.org/rfc/rfc5743.html#section-2.1. >>> --> >>> >>> >>> 3) <!-- [rfced] Please consider including a reference for "Discrete >>> Log >> Hardness". >>> We do not see this phrase in RFCs and we did not find directly >>> matching >> hits via >>> our general searches. Is this the same as the "hardness of the >>> discrete >> logarithm >>> problem"? >>> >>> Original: >>> This means the group has a cofactor >>> of 1, and all elements are equivalent from the perspective of >>> Discrete Log Hardness. >>> --> >>> >>> >>> I think that "Discrete Log Hardness" and "hardness of the discrete >> logarithm problem" could be used interchangeably here. >>> >>> >>> 4) <!-- [rfced] We have updated the following for readability. >>> Please >> review to >>> ensure we have not altered the meaning. >>> >>> Original: >>> Edwards curves provide a number of implementation benefits for >>> cryptography, such as complete addition formulas with no >>> exceptional >>> points and formulas among the fastest known for curve operations. >>> >>> Current: >>> Edwards curves provide a number of implementation benefits for >>> cryptography, such as complete addition formulas with no >>> exceptional >>> points and formulas known to be among the fastest for curve >>> operations. >>> --> >>> >>> >>> 5) <!-- [rfced] Is "hash_to_curve" considered an algorithm? RFC 9380 >> refers to >>> it as an encoding function. >>> >>> Original: >>> In some contexts this property would be a weakness, but it is >>> important in some contexts: in particular, it means that a >>> combination of a cryptographic hash function and the element >>> derivation function is suitable for use in algorithms such as >>> hash_to_curve [draft-irtf-cfrg-hash-to-curve-16]. >>> --> >>> >>> >>> A "hash-to-curve algorithm" is something we would have referred to, >>> yes. >> This specific reference should be adjusted however, because the >> now-published RFC 9380 specifically constrains the definition of >> hash_to_curve, and in Appendix B defines hash_to_ristretto255 with >> the same >> security properties and interface (and similarly for decaf448 in >> Appendix >> C). I'll think about a suggestion during my review. >>> >>> Relatedly, I notice that RFC 9380 refers to an old version of this >> RFC-to-be. Once RFC 9496 is published, I presume that RFC 9380's >> reference >> will be fixed? Their reference link is the one that implementers will >> be >> following more (our reference here is effectively an informational >> backlink). >>> >>> >>> 6) <!-- [rfced] To what does "its" refer in the last sentence? >>> >>> Original (the paragraph is provided for context): >>> Since ristretto255 is a prime-order group, every element except >>> the >>> identity is a generator, but for interoperability a canonical >>> generator is selected, which can be internally represented by the >>> Curve25519 basepoint, enabling reuse of existing precomputation >>> for >>> scalar multiplication. This is its encoding as produced by the >>> function specified in Section 4.3.2: >>> --> >>> >>> >>> "its" in the last sentence refers to "a canonical generator" in the >> previous sentence. >>> >>> >>> 7) <!-- [rfced] May we change "reflect" to "note" here? >>> >>> Original: >>> Implementations SHOULD reflect that: the >>> type representing an element of the group SHOULD be opaque to the >>> caller, meaning they do not expose the underlying curve point or >>> field elements. >>> >>> Suggested: >>> Implementations SHOULD note that the >>> type representing an element of the group SHOULD be opaque to the >>> caller, meaning they do not expose the underlying curve point or >>> field elements. >>> --> >>> >>> >>> I don't think so, assuming that "note" is meant in the sense "to >>> take >> notice of". The SHOULD applies as-written to implementations, not >> implementers. An implementation reflects what its implementer has >> noted. >>> >>> I will consider during my review whether in context "Implementations >> SHOULD reflect" or "Implementers SHOULD note" makes more sense. >>> >>> >>> 8) <!--[rfced] May we clarify "allowed operations" as follows? >>> >>> Original: >>> The decoding >>> function always returns a valid internal representation, or an >>> error, >>> and allowed operations on valid internal representations return >>> valid >>> internal representations. >>> >>> Perhaps: >>> The decoding >>> function always returns a valid internal representation, or an >>> error, >>> and operations that are allowed on valid internal representations >> return valid >>> internal representations. >>> --> >>> >>> >>> 9) <!-- [rfced] FYI, we have alphabetized the references. Please let >>> us >> know >>> of any objections. >>> --> >>> >>> >>> 10) <!-- [rfced] The sourcecode in Appendices A.1, A.2, and A.3 >>> extend >>> beyond the 69-character margin. Please let us know how the lines >>> may >>> be broken. >>> --> >>> >>> >>> As these are not actual source code with established parsing rules, >> breaking the lines must be done carefully to ensure that adjacent >> test >> vectors are correctly separated. I'll make a suggestion to this >> effect in >> my review. >>> >>> >>> 11) <!-- [rfced] Please review whether any of the notes in this >>> document >>> should be in the <aside> element. It is defined as "a container for >>> content that is semantically less important or tangential to the >>> content that surrounds it" ( >> https://authors.ietf.org/en/rfcxml-vocabulary#aside). >>> --> >>> >>> >>> 12) <!-- [rfced] Please review the "Inclusive Language" portion of >>> the >> online >>> Style Guide < >> https://www.rfc-editor.org/styleguide/part2/#inclusive_language> >>> and let us know if any changes are needed. >>> >>> For example, please consider whether "whitespace" should be updated. >>> --> >>> >>> >>> "Whitespace" here means any character that represents horizontal or >> vertical space in typography ( >> https://en.wikipedia.org/wiki/Whitespace_character). To my knowledge >> there are no "positive or less harmful" connotations associated with >> this >> term (unlike other historic terms of art in computer science), and I >> don't >> know of another term that denotes the same set. But really all we >> need here >> is a concise way to say "if you're copy-pasting these hex strings >> into your >> code, any spaces, tabs, newlines, or whatever else the rendered >> version of >> this RFC happens to put into those gaps can be ignored and must be >> removed, >> and the position of them is irrelevant". >>> >>> Cheers, >>> Jack >>> >>> >>> Thank you. >>> >>> RFC Editor/sg/ap >>> >>> >>> On Oct 13, 2023, at 4:46 PM, rfc-editor@rfc-editor.org wrote: >>> >>> *****IMPORTANT***** >>> >>> Updated 2023/10/13 >>> >>> RFC Author(s): >>> -------------- >>> >>> Instructions for Completing AUTH48 >>> >>> Your document has now entered AUTH48. Once it has been reviewed and >>> approved by you and all coauthors, it will be published as an RFC. >>> If an author is no longer available, there are several remedies >>> available as listed in the FAQ (https://www.rfc-editor.org/faq/). >>> >>> You and you coauthors are responsible for engaging other parties >>> (e.g., Contributors or Working Group) as necessary before providing >>> your approval. >>> >>> Planning your review >>> --------------------- >>> >>> Please review the following aspects of your document: >>> >>> * RFC Editor questions >>> >>> Please review and resolve any questions raised by the RFC Editor >>> that have been included in the XML file as comments marked as >>> follows: >>> >>> <!-- [rfced] ... --> >>> >>> These questions will also be sent in a subsequent email. >>> >>> * Changes submitted by coauthors >>> >>> Please ensure that you review any changes submitted by your >>> coauthors. We assume that if you do not speak up that you >>> agree to changes submitted by your coauthors. >>> >>> * Content >>> >>> Please review the full content of the document, as this cannot >>> change once the RFC is published. Please pay particular >>> attention to: >>> - IANA considerations updates (if applicable) >>> - contact information >>> - references >>> >>> * Copyright notices and legends >>> >>> Please review the copyright notice and legends as defined in >>> RFC 5378 and the Trust Legal Provisions >>> (TLP – https://trustee.ietf.org/license-info/). >>> >>> * Semantic markup >>> >>> Please review the markup in the XML file to ensure that elements >>> of >>> content are correctly tagged. For example, ensure that >>> <sourcecode> >>> and <artwork> are set correctly. See details at >>> <https://authors.ietf.org/rfcxml-vocabulary> . >>> >>> * Formatted output >>> >>> Please review the PDF, HTML, and TXT files to ensure that the >>> formatted output, as generated from the markup in the XML file, >>> is >>> reasonable. Please note that the TXT will have formatting >>> limitations compared to the PDF and HTML. >>> >>> >>> Submitting changes >>> ------------------ >>> >>> To submit changes, please reply to this email using ‘REPLY ALL’ >>> as all >>> the parties CCed on this message need to see your changes. The >>> parties >>> include: >>> >>> * your coauthors >>> >>> * rfc-editor@rfc-editor.org (the RPC team) >>> >>> * other document participants, depending on the stream (e.g., >>> IETF Stream participants are your working group chairs, the >>> responsible ADs, and the document shepherd). >>> >>> * auth48archive@rfc-editor.org, which is a new archival mailing >> list >>> to preserve AUTH48 conversations; it is not an active >>> discussion >>> list: >>> >>> * More info: >>> >> https://mailarchive.ietf.org/arch/msg/ietf-announce/yb6lpIGh-4Q9l2USxIAe6P8O4Zc >>> >>> * The archive itself: >>> https://mailarchive.ietf.org/arch/browse/auth48archive/ >>> >>> * Note: If only absolutely necessary, you may temporarily opt >>> out >>> of the archiving of messages (e.g., to discuss a sensitive >> matter). >>> If needed, please add a note at the top of the message that >>> you >>> have dropped the address. When the discussion is concluded, >>> auth48archive@rfc-editor.org will be re-added to the CC list >> and >>> its addition will be noted at the top of the message. >>> >>> You may submit your changes in one of two ways: >>> >>> An update to the provided XML file >>> — OR — >>> An explicit list of changes in this format >>> >>> Section # (or indicate Global) >>> >>> OLD: >>> old text >>> >>> NEW: >>> new text >>> >>> You do not need to reply with both an updated XML file and an >>> explicit >>> list of changes, as either form is sufficient. >>> >>> We will ask a stream manager to review and approve any changes that >>> seem >>> beyond editorial in nature, e.g., addition of new text, deletion of >> text, >>> and technical changes. Information about stream managers can be >>> found >> in >>> the FAQ. Editorial changes do not require approval from a stream >> manager. >>> >>> >>> Approving for publication >>> -------------------------- >>> >>> To approve your RFC for publication, please reply to this email >>> stating >>> that you approve this RFC for publication. Please use ‘REPLY >>> ALL’, >>> as all the parties CCed on this message need to see your approval. >>> >>> >>> Files >>> ----- >>> >>> The files are available here: >>> https://www.rfc-editor.org/authors/rfc9496.xml >>> https://www.rfc-editor.org/authors/rfc9496.html >>> https://www.rfc-editor.org/authors/rfc9496.pdf >>> https://www.rfc-editor.org/authors/rfc9496.txt >>> >>> Diff file of the text: >>> https://www.rfc-editor.org/authors/rfc9496-diff.html >>> https://www.rfc-editor.org/authors/rfc9496-rfcdiff.html (side by >> side) >>> >>> Diff of the XML: >>> https://www.rfc-editor.org/authors/rfc9496-xmldiff1.html >>> >>> >>> Tracking progress >>> ----------------- >>> >>> The details of the AUTH48 status of your document are here: >>> https://www.rfc-editor.org/auth48/rfc9496 >>> >>> Please let us know if you have any questions. >>> >>> Thank you for your cooperation, >>> >>> RFC Editor >>> >>> -------------------------------------- >>> RFC9496 (draft-irtf-cfrg-ristretto255-decaf448-08) >>> >>> Title : The ristretto255 and decaf448 Groups >>> Author(s) : H. Valence, J. Grigg, M. Hamburg, I. Lovecruft, >>> G. >> Tankersley, F. Valsorda >>> WG Chair(s) : >>> Area Director(s) : >>> >>> >> >>
- [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-cfrg-… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… rfc-editor
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… Jack Grigg
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… Sandy Ginoza
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… Sandy Ginoza
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… Jack Grigg
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… Sandy Ginoza
- Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft… Colin Perkins
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… Henry de Valence
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… Mike Hamburg
- Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft… Jack Grigg
- Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft… Colin Perkins
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… Henry de Valence
- Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft… Jack Grigg
- Re: [auth48] AUTH48: RFC-to-be 9496 <draft-irtf-c… Rebecca VanRheenen
- Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft… Rebecca VanRheenen
- Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft… Jack Grigg
- Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft… Rebecca VanRheenen
- [auth48] [Document Shepherd] Re: [irsg] AUTH48: R… Rebecca VanRheenen
- Re: [auth48] [Document Shepherd] [irsg] AUTH48: R… Christopher Wood
- Re: [auth48] [Document Shepherd] [irsg] AUTH48: R… Rebecca VanRheenen
- Re: [auth48] [Document Shepherd] [irsg] AUTH48: R… isis agora lovecruft
- Re: [auth48] [Document Shepherd] [irsg] AUTH48: R… Christopher Wood
- Re: [auth48] [Document Shepherd] [irsg] AUTH48: R… Rebecca VanRheenen
- Re: [auth48] [Document Shepherd] [irsg] AUTH48: R… Rebecca VanRheenen
- Re: [auth48] [Document Shepherd] [irsg] AUTH48: R… Rebecca VanRheenen
- Re: [auth48] [Document Shepherd] [irsg] AUTH48: R… Rebecca VanRheenen
- Re: [auth48] [Document Shepherd] [irsg] AUTH48: R… Rebecca VanRheenen
- Re: [auth48] [irsg] AUTH48: RFC-to-be 9496 <draft… Rebecca VanRheenen