Re: [Cfrg] should the CFRG really strive for consensus?
Watson Ladd <watsonbladd@gmail.com> Wed, 31 December 2014 21:26 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F2621A1B16 for <cfrg@ietfa.amsl.com>; Wed, 31 Dec 2014 13:26:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4YAadRfbCVLM for <cfrg@ietfa.amsl.com>; Wed, 31 Dec 2014 13:26:23 -0800 (PST)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6023C1A1B0C for <cfrg@irtf.org>; Wed, 31 Dec 2014 13:26:23 -0800 (PST)
Received: by mail-yk0-f179.google.com with SMTP id 19so8030839ykq.38 for <cfrg@irtf.org>; Wed, 31 Dec 2014 13:26:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QRKmUiIkXErXEr04oyl8bSk/gULbMV1CyrSzFZsOTJE=; b=apaS65MXe2UshpAVnaqzLzvKo6Na/iYIjUb4Pdvcd0KCRec6/FNfELF644oB3N/o81 BBln0ACPV2CCpr+VO9OmHHidTlaIgUO+qK/lfrbZZE12bJCpMzIcc8nUXdnndMIcE1lX KJ5LP23F1HemEKgzRfGriRLyOrEhWw0dm5nrQRdcG+aFOvL9e5R/xCh2nzambRCBZuxY BKg+/CwAWVe1k/aBO1g+1YtPnKz1H9Jgc/PVnxQEMOs2BUiQ/N1s/aNlB1/HowIKjz6S MYOitd6GJeq024IqOzQBbBT57mZfR9uifaYxb5JhA1+Ne4NyVbQ+rMrmyV4Kv95a/8A9 alow==
MIME-Version: 1.0
X-Received: by 10.236.11.45 with SMTP id 33mr45023353yhw.4.1420061182547; Wed, 31 Dec 2014 13:26:22 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Wed, 31 Dec 2014 13:26:22 -0800 (PST)
In-Reply-To: <1420042774.10106.10.camel@scientia.net>
References: <CAMfhd9V4tnjQL-orjTjX3KS=-XZRn0snAPrVwmP6pZH_20Cfgg@mail.gmail.com> <1420033807.4638.16.camel@scientia.net> <CAMfhd9V5-Y60fGqCDfmCvk9+9bqm0zpm3kSHmR5_mzELZ2K+Dw@mail.gmail.com> <1420042774.10106.10.camel@scientia.net>
Date: Wed, 31 Dec 2014 16:26:22 -0500
Message-ID: <CACsn0c=jEXhbUQt7FqZ_KqYQqq0NJsdZow=TEZ2G0te2SUb0RA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Christoph Anton Mitterer <calestyo@scientia.net>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/4JSmudR2AJnACh3W64F_GX0LOD8
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] should the CFRG really strive for consensus?
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Dec 2014 21:26:26 -0000
On Wed, Dec 31, 2014 at 11:19 AM, Christoph Anton Mitterer <calestyo@scientia.net> wrote: > On Wed, 2014-12-31 at 14:44 +0000, Adam Langley wrote: >> If you believe in the security of curve25519 then you also believe in >> the security of Microsoft's current position at ~128 bits. They have >> the same structure and thus strictly the same strength. > My point wasn't specifically about that discrepancy between curve25519 > and MS' position... as you pointed out already in your previous email, > they have the same security, by all means of current knowledge.... > > >> IRTF groups do not, technically, have to reach consensus. However, >> everyone does have to function on the same Internet at the end of the >> day. > ... my point was rather about the general political problem that still > hides behind the "now open and no longer NIST controlled" > standardisation process of crypto stuff: > Even though the current example of MS vs. "everyone else" may not be a > security problem, it still shows that the whole process would be kinda > "vulnerable" to manipulations - namely if a big player puts pressure on > the CFRG on behalf of his own ideas (which may - or may not - have some > evil hidden within). Yeah, but we would be done now if that was what was going on. Might even be worth it ;) What people might not be aware of, particularly if they joined the list late, is that we've been discussing all of these proposals (except for 2^389-21) since April. Nothing new has been discovered. Yet we've missed two self-imposed deadlines, and have no visible plan to actually meet hard external deadlines, coming close to a year since we decided to start. Why? Unclear. We've had requests since 2010 to add X25519 to TLS. In the meantime, Brainpool and ANSSI curves got added without this mess. Why are we treating Curve25519 differently from these national standards? And why did it take so long for the initial request to get sent to CFRG? Irrelevant the problem we face now, but interesting in considering how avoid it in the future, or, punt it to someone else. The CFRG is potentially very good at answering questions about security. But we shouldn't be surprised that it is bad at having to make choices, particularly when one group remains determined to stay in the running by consistently modifying its proposal as issues are raised. The net effect is that people will go out of their way to not involve CFRG, new cryptography will not get proposed, and attempts to ensure that protocols are reviewed by people who know what they are doing in cryptography will meet resistance due to the long delay that will be feared. The IRTF and IETF leadership bear a substantial amount of blame for this situation, as does the leadership of the TLS WG. By kicking over to the CFRG a question that wasn't "is X25519 secure? What are the issues with adoption?", they managed to ensnare us. Meanwhile, SSH continues to adopt Ed25519, and X25519 without a problem. The proposed longer curve over 2^384-317 or whatever, is inferior in security to the equally fast Ed448, and equal in security to the 8% faster 2^389-21. This is a substantial difference between the proposals, and is not going away, even with the lower-security curve being a bikeshed color away from X25519. It's the same difference between Curve25519 and the original NUMS proposal in terms of prime. The NUMS group has repeatedly explained that they will not take their ball and go home, and I doubt that IE and IIS will make the decision to support or not based on whether or not we pick the NUMS proposal, which has been repeatedly modified to try to stay in the game. The concern that we need an actual consensus, or Microsoft won't add these curves, is one I think is overblown, judging from public statements from many of the proponents of the NUMS draft. The fewer differences between the two rival proposals there are, the more pointless this debate gets. In April the differences were in point format on the wire, choice of prime (with DJB et al favoring faster primes, and NUMS slower primes) and signature method. Now we've eliminated the point format difference, leaving the prime choice difference, except that the 2^255-19 prime is now being used by both, and NUMS is open to adding a different signature scheme in addition to their FrankenECDSA proposal, of which several implementors have been skeptical of the utility. The choice is between the extra security of Ed448, extra speed of 2^389-21, or a prime with few redeeming features. Far from being "not horrible", the NUMS proposal is pure bikeshedding at the 255 bit length, and retains some of the original disadvantages at the 384 length. We don't know how well it performs in as much detail as I would like, because there has not been an eBATS submission. Almost all of the bad original features of the NUMS proposal have been fixed: they are now proposing the point format for ECDH that was originally suggested for Curve25519, have corrected the use of incomplete coordinates, and I think any remaining questions about signatures are uncontroversial enough to be easily resolved. (If one sentence will get thrown back at me, this one is it) TL,DR: I think there are technical factors in favor of either Ed448 or 2^389-21 over the proposed prime at the 384 bit level, either extra security or extra speed. If the chairs think it necessary to pick the 2^384-317 prime for political reasons they should do, ruling that at the 384 level the extra performance or security are less important. They shouldn't rely on the variance between differing benchmarking systems as an excuse, or try to claim a political choice as due to spurious technical reasons: I doubt anyone is going to be fooled and it will only further undermine the reputation of CFRG. Sincerely, Watson Ladd > > > Cheers, > Chris. > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Whether the performance advantage of small… Adam Langley
- [Cfrg] should the CFRG really strive for consensu… Christoph Anton Mitterer
- Re: [Cfrg] should the CFRG really strive for cons… Adam Langley
- Re: [Cfrg] should the CFRG really strive for cons… Christoph Anton Mitterer
- Re: [Cfrg] should the CFRG really strive for cons… Salz, Rich
- Re: [Cfrg] should the CFRG really strive for cons… Christoph Anton Mitterer
- Re: [Cfrg] should the CFRG really strive for cons… Yoav Nir
- Re: [Cfrg] should the CFRG really strive for cons… Watson Ladd
- Re: [Cfrg] should the CFRG really strive for cons… Nico Williams
- Re: [Cfrg] should the CFRG really strive for cons… Alexey Melnikov
- [Cfrg] Reconsider TLS/CFRG relationship (Re: shou… Nico Williams
- Re: [Cfrg] Reconsider TLS/CFRG relationship (Re: … Nex6|Bill