[Cfrg] On process (was Re: Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd))

On Sat, Feb 21, 2015 at 5:40 AM, Paterson, Kenny
<Kenny.Paterson@rhul.ac.uk> wrote:
> Hi Alyssa,
>
> On 20/02/2015 20:15, "Alyssa Rowan" <akr@akr.io> wrote:
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA512
>>
>>> [TA] Have you considered doing a poll of what specific curves
>>> people actually want to use?
>>
>>> [PHB] [Š] your poll [Š] rather undercuts the whole process.
>>
>>Strongly agreed.
>>
>>> [KP] Yes, we considered a number of different ways of narrowing
>>> down our choices. However, we settled on doing it this way. Please
>>> stick with us.
>>
>>With the greatest respect, if upstream and external parties were
>>willing to tolerate undocumented decisions by editor/chair fiat,
>>they'd stick with the NIST curves, wouldn't they?
>
> I think you have to give the chairs some room to make decisions in order
> to help move things forward. We've been rightly criticised for not doing
> that in recent months, and now we are trying to do better. So cut us some
> slack, please.
>
> Yes, we could have first run a "meta poll" to ask the group what kinds of
> questions they wanted to be asked, or what the topics of the questions
> should be, but I think that would only have led to dismayed comments from
> other participants saying we were not providing enough direction or
> leadership (but Alexey and I are by now well aware that chairs cannot
> please all of the people any of the time, and some of the time we do not
> please anyone; for us, it goes with the territory).

Chairs could avoid making promises about the process they don't end up
keeping. I would say that's the single biggest reason chairs got
criticised.

>
>>We were asked because publicly-documented technical consensus, not
>>guided by any one party, is very highly desirable.
>
> But then what to do if there is no consensus? This appeared to be the case
> on the specific question of whether we should stick to "traditional powers
> of 2" security levels or not.

But we're already using voting to decide other issues on which there
was no consensus: why is the Goldilocks issue so special?

You could have had long discussions about which point formats to use,
and decided to use one. You could have done the same for signatures.
But the only aspect that's being formally decided upon by the chairs
is security levels: why? And not even security levels, just a decision
to exclude three candidate curves.

I could understand making the entire decision. I could understand
voting in various forms. But I don't understand why this particular
decision is being made by chairs, and not others.

Sincerely,
Watson Ladd

>
> I explained this in an earlier response to one of your messages here:
>
> http://www.ietf.org/mail-archive/web/cfrg/current/msg06183.html.
>
> So now it seems to me that we are just rehashing. Let's try to avoid that,
> please.
>
> Now, all of this said: we can come back to other security levels later on,
> if we have sufficient time and energy. But right now, we're focussing on a
> question about the 256-bit security level.
>
> Thanks,
>
> Kenny
>
>>
>>We need that if our efforts are to be meaningful.
>>
>>> [PHB] The way I would do this is as a Quaker poll asking people
>>> what their preferred outcome is and what they can live with on 448,
>>> 480, 512 and 521.
>>
>>I agree - that process will probably work much better than these
>>forced-choice yes/no polls!
>>
>>So: my preference votes on prime consensus for the record:
>>
>>Just 2^255-19: Acceptable [no concerns; but CAs want extra-strength]
>>     2^379-19: No         [one 1 mod 4 is probably enough]
>>    2^384-317: No         [slow and awkward]
>>     2^389-21: Acceptable [seems fast, but not very well-explored]
>>     2^414-17: Acceptable [fast, but a slightly awkward size]
>>2^448-2^224-1: Preferred  [fast, strong, good size, plenty of margin]
>>2^480-2^240-1: Acceptable [fast, but only with 64-bit]
>>    2^512-569: No         [way too slow; awkward; would not implement]
>>      2^521-1: Acceptable [could live with it; slower than I'd like]
>>
>>- --
>>/akr
>>-----BEGIN PGP SIGNATURE-----
>>
>>iQIcBAEBCgAGBQJU55XaAAoJEOyEjtkWi2t6jH4P/1F6iBWEt8i7Y1aLXKQo8Efm
>>FncsTL1Byh51vi0WHHjnrJ+9d8z/oNecFeklfjPVvu5+rdezpCR+m2MN/SwW8d25
>>WmYjse75bBN9ilz7YohD7T632fUi4wcG1ffRnyNGw40ngiZIJopPAJMA0SZ4N5Wl
>>OPaIUNssN/y+XoEcezFzAioIoUkO+C24r3589dc5Bozd7hZQfz4INmyajFHGhgBy
>>ctpzMAoOqD+lgY6dbpeWrprV8Nnr3ZMm5Hnq9lb5rFgSSDUU8KsU5yIMX9yTwK/p
>>JFPewlUyJK4nb6zdj3Wc42pPgJuezXfdfrif6I6YRwFxet0lRMN1QVFKANubdOtC
>>hIKjQjBdMWYKcQkpFQJhoAiHSbMKSFafO+3KeMimyn3aKYotIUyuRZ9bf89cMuzl
>>HjABTiPmZNU4hyXxOn/9eNd5vd5T+UIKRY+RfVxSPwo6S/dDphwJ7W/3dhiwCMWI
>>AC6Ix5PFCia/y/TFP9R+edsHpmjzUwL+5MgJ+/oSUCgwFDuW8mpuncAtfPLujVQA
>>dsDkzhcJZvlna1AiIh8bNiAj9TFnyiiWr3K33tNPmTaocuN6y7yC3BW2hMiGbzT+
>>7u5TU8krsfiq1tG/yPzriZBXdlYmnMhTl9LmGvBw9gEMqxtmChJTXDdz0XnI7uy0
>>4YgaokzGUjTwkn5PxI9X
>>=FXwL
>>-----END PGP SIGNATURE-----
>>
>>_______________________________________________
>>Cfrg mailing list
>>Cfrg@irtf.org
>>http://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin