IETF Logo Mail Archive

Re: [Cfrg] Criteria for the selection of new ECC mechanisms

Michael Hamburg <mike@shiftleft.org> Tue, 29 April 2014 18:45 UTC

Return-Path: <mike@shiftleft.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DD181A07D9 for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 11:45:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.557
X-Spam-Level: *
X-Spam-Status: No, score=1.557 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HOST_EQ_D_D_D_D=0.765, FH_HOST_EQ_D_D_D_DB=0.888, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_NET=0.311, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.982, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2X6rr8kpUbiq for <cfrg@ietfa.amsl.com>; Tue, 29 Apr 2014 11:45:00 -0700 (PDT)
Received: from aspartame.shiftleft.org (199-116-74-168-v301.PUBLIC.monkeybrains.net [199.116.74.168]) by ietfa.amsl.com (Postfix) with ESMTP id 4BEB91A0960 for <cfrg@irtf.org>; Tue, 29 Apr 2014 11:44:57 -0700 (PDT)
Received: from [10.184.148.249] (w035.z205158021.lax-ca.dsl.cnc.net [205.158.21.35]) by aspartame.shiftleft.org (Postfix) with ESMTPSA id 232163AA3F; Tue, 29 Apr 2014 11:43:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=shiftleft.org; s=sldo; t=1398796990; bh=qolC/4Mbk195x8/oO9HvVO12wf3Rzx1oJsfp91JD1YY=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=WS45tJq1YISzrYpli8MHLhUVFDD8V0knZwEvnIl+2j9oWap4eAHk63ZcyZglv/ewO fmiDyi+vcgkTqcLivG+lOVgqWBPYpHjwl7z3PFxWmywpO3dimRnf//aHC7dLuv7XXD /+ET81KWXOVjVltWSWH1xo3O2+6Thmxu5TppVERg=
Content-Type: multipart/alternative; boundary="Apple-Mail=_C05FBEBD-FF48-44B5-AAFF-60FE7A8037E8"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Michael Hamburg <mike@shiftleft.org>
In-Reply-To: <535FF0F3.2040503@cisco.com>
Date: Tue, 29 Apr 2014 11:44:54 -0700
Message-Id: <84375EDC-FC8B-447D-8AD8-A15F76055C76@shiftleft.org>
References: <535FB927.8080909@cisco.com> <535FDD0A.7070206@gmail.com> <67C14570-0DFD-4031-97D0-00C946736EE3@shiftleft.org> <535FF0F3.2040503@cisco.com>
To: David McGrew <mcgrew@cisco.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/9pC4yp0jypMa4c84Sa6KS8dfrK4
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Criteria for the selection of new ECC mechanisms
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 18:45:01 -0000

On Apr 29, 2014, at 11:35 AM, David McGrew <mcgrew@cisco.com> wrote:

> Hi Michael,
> 
> On 04/29/2014 01:38 PM, Michael Hamburg wrote:
>>  I will probably not be in the meeting this afternoon, because my employer is hesitant to agree to IP disclosure rules :-(
> 
> sorry to hear that.  The rules should not stop you from listening though :-)

Ah, then perhaps I will listen.

>> and this feature is not even required for PAKE.  SPEKE, SPAKE2EE and Dragonfly don’t even use indistinguishability, just an inverse-samplable map to a large subset of the curve (eg, SWU/BCIMRT or Elligator).  SPAKE2 and JPAKE don’t even use that.  It’s only EKE and anti-censorship applications that use this, and you can use Tibouchi’s “Elligator Squared” (which is actually the same as BCIMRT) on any curve with a small overhead in ciphertext size.
> 
> OK, so "required for some PAKE protocols"?   Any suggestions on requirements language around anti-censorship applications?

"Required for some PAKE protocols" is probably good enough.  But at least any elliptic curve can do this with acceptable efficiency loss.  I don’t know about hyperelliptic curves, though.

Cheers,
— Mike

v2.23.0 | Report a Bug | By Email