[Cfrg] On process (was Re: Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd))

Watson Ladd <watsonbladd@gmail.com> Mon, 23 February 2015 06:46 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 138B61A019B for <cfrg@ietfa.amsl.com>; Sun, 22 Feb 2015 22:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1M-RFd0mbKNR for <cfrg@ietfa.amsl.com>; Sun, 22 Feb 2015 22:46:22 -0800 (PST)
Received: from mail-yk0-x231.google.com (mail-yk0-x231.google.com [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9971D1A00FD for <cfrg@irtf.org>; Sun, 22 Feb 2015 22:46:22 -0800 (PST)
Received: by mail-yk0-f177.google.com with SMTP id 20so12318517yks.8 for <cfrg@irtf.org>; Sun, 22 Feb 2015 22:46:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=bXT+Xp0uo9ZiRvScS2i20f/l150UawFadPJZC/n2/9k=; b=tQP7cSgA/Pgdv6uKHkRmAdrsz1kfcDO1xmVXbxXz2dUk/H2Y2Ea1NwPG6GAZBQ+8/x P5sZXX3pkF2cK0GbTkvrhmYeUmYgmGS/LL0ndyskfMlvUjZtH/4ei13+UhP82ATjmbTn Y/hXHcp11tNC1cfj9nmZl33JD2H0p88vumH4Oj13+gIF0TZXA1GT+9ltHcg9MqTwmk4j +x35HAGUzfF2y99sVvHWhj0EqHIorxivVdJBcAytpRMavJDkWBRUp8kO29h1I9BURvaj WuGIOz4XlxRtlZ4UIHB7xkmecJ0CNoSkNcKKgub5+ZO+YxRLEcRx30FgznxT0uvnMAhp LyOQ==
MIME-Version: 1.0
X-Received: by with SMTP id t76mr9447576ykb.28.1424673981781; Sun, 22 Feb 2015 22:46:21 -0800 (PST)
Received: by with HTTP; Sun, 22 Feb 2015 22:46:21 -0800 (PST)
Date: Sun, 22 Feb 2015 22:46:21 -0800
Message-ID: <CACsn0cmZqoPd6CPV7RZE-ozBn1oDgK51212Sv5YXczqNHsA3eg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/9g39dWG-9_Gi2gkiLI_ELwt1YaU>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] On process (was Re: Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd))
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2015 06:46:25 -0000

On Sat, Feb 21, 2015 at 5:40 AM, Paterson, Kenny
<Kenny.Paterson@rhul.ac.uk> wrote:
> Hi Alyssa,
> On 20/02/2015 20:15, "Alyssa Rowan" <akr@akr.io> wrote:
>>Hash: SHA512
>>> [TA] Have you considered doing a poll of what specific curves
>>> people actually want to use?
>>> [PHB] [Š] your poll [Š] rather undercuts the whole process.
>>Strongly agreed.
>>> [KP] Yes, we considered a number of different ways of narrowing
>>> down our choices. However, we settled on doing it this way. Please
>>> stick with us.
>>With the greatest respect, if upstream and external parties were
>>willing to tolerate undocumented decisions by editor/chair fiat,
>>they'd stick with the NIST curves, wouldn't they?
> I think you have to give the chairs some room to make decisions in order
> to help move things forward. We've been rightly criticised for not doing
> that in recent months, and now we are trying to do better. So cut us some
> slack, please.
> Yes, we could have first run a "meta poll" to ask the group what kinds of
> questions they wanted to be asked, or what the topics of the questions
> should be, but I think that would only have led to dismayed comments from
> other participants saying we were not providing enough direction or
> leadership (but Alexey and I are by now well aware that chairs cannot
> please all of the people any of the time, and some of the time we do not
> please anyone; for us, it goes with the territory).

Chairs could avoid making promises about the process they don't end up
keeping. I would say that's the single biggest reason chairs got

>>We were asked because publicly-documented technical consensus, not
>>guided by any one party, is very highly desirable.
> But then what to do if there is no consensus? This appeared to be the case
> on the specific question of whether we should stick to "traditional powers
> of 2" security levels or not.

But we're already using voting to decide other issues on which there
was no consensus: why is the Goldilocks issue so special?

You could have had long discussions about which point formats to use,
and decided to use one. You could have done the same for signatures.
But the only aspect that's being formally decided upon by the chairs
is security levels: why? And not even security levels, just a decision
to exclude three candidate curves.

I could understand making the entire decision. I could understand
voting in various forms. But I don't understand why this particular
decision is being made by chairs, and not others.

Watson Ladd

> I explained this in an earlier response to one of your messages here:
> http://www.ietf.org/mail-archive/web/cfrg/current/msg06183.html.
> So now it seems to me that we are just rehashing. Let's try to avoid that,
> please.
> Now, all of this said: we can come back to other security levels later on,
> if we have sufficient time and energy. But right now, we're focussing on a
> question about the 256-bit security level.
> Thanks,
> Kenny
>>We need that if our efforts are to be meaningful.
>>> [PHB] The way I would do this is as a Quaker poll asking people
>>> what their preferred outcome is and what they can live with on 448,
>>> 480, 512 and 521.
>>I agree - that process will probably work much better than these
>>forced-choice yes/no polls!
>>So: my preference votes on prime consensus for the record:
>>Just 2^255-19: Acceptable [no concerns; but CAs want extra-strength]
>>     2^379-19: No         [one 1 mod 4 is probably enough]
>>    2^384-317: No         [slow and awkward]
>>     2^389-21: Acceptable [seems fast, but not very well-explored]
>>     2^414-17: Acceptable [fast, but a slightly awkward size]
>>2^448-2^224-1: Preferred  [fast, strong, good size, plenty of margin]
>>2^480-2^240-1: Acceptable [fast, but only with 64-bit]
>>    2^512-569: No         [way too slow; awkward; would not implement]
>>      2^521-1: Acceptable [could live with it; slower than I'd like]
>>- --
>>Cfrg mailing list
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin