Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
"Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk> Thu, 18 December 2014 20:51 UTC
Return-Path: <Kenny.Paterson@rhul.ac.uk>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2E7A1A8032 for <cfrg@ietfa.amsl.com>; Thu, 18 Dec 2014 12:51:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, LOTS_OF_MONEY=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7jqPYs-RNk6Y for <cfrg@ietfa.amsl.com>; Thu, 18 Dec 2014 12:51:55 -0800 (PST)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0607.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::607]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51CCA1A1B94 for <cfrg@irtf.org>; Thu, 18 Dec 2014 12:51:54 -0800 (PST)
Received: from AMSPR03MB375.eurprd03.prod.outlook.com (10.242.227.145) by AMSPR03MB471.eurprd03.prod.outlook.com (10.242.23.149) with Microsoft SMTP Server (TLS) id 15.1.31.17; Thu, 18 Dec 2014 20:51:31 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com (10.141.10.15) by AMSPR03MB375.eurprd03.prod.outlook.com (10.242.227.145) with Microsoft SMTP Server (TLS) id 15.1.31.17; Thu, 18 Dec 2014 20:51:29 +0000
Received: from DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) by DBXPR03MB383.eurprd03.prod.outlook.com ([10.141.10.15]) with mapi id 15.01.0049.002; Thu, 18 Dec 2014 20:51:29 +0000
From: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
To: Robert Ransom <rransom.8774@gmail.com>
Thread-Topic: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
Thread-Index: AQHQCg+AA9nvrrBncE2keVevceo8V5x0EbQAgAYJNgCAALPwgIAAqAqAgAAkFICAACxOgIAASVqAgAo/CICABgrbAIAAdduAgALh4gCABkJWgA==
Date: Thu, 18 Dec 2014 20:51:28 +0000
Message-ID: <D0B8EDCF.3A504%kenny.paterson@rhul.ac.uk>
References: <CA+Vbu7ye3bytMZ-j8pfZixrjF8irTOoWmRo_GwjB0LphwjXq+Q@mail.gmail.com> <20141202092847.29027.qmail@cr.yp.to> <CA+Vbu7yQoYf3ei3MADhJ1iV6BcuqVUmkg8SkQ4ud=8m7pz7AvQ@mail.gmail.com> <D0B0DC9F.39BD0%kenny.paterson@rhul.ac.uk> <CACsn0c=uyPT6xa4CsXPeAV31QeeO+HfsCXAxt7Ba6NOt_Y2hiA@mail.gmail.com> <CABqy+sr1T-VwQx1NaRA+xvnqVn7smjs2+YrG2Uz1Q+8M6c3hng@mail.gmail.com>
In-Reply-To: <CABqy+sr1T-VwQx1NaRA+xvnqVn7smjs2+YrG2Uz1Q+8M6c3hng@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [78.146.70.131]
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Kenny.Paterson@rhul.ac.uk;
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:AMSPR03MB375;UriScan:;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:AMSPR03MB375;
x-forefront-prvs: 042957ACD7
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(51704005)(24454002)(479174004)(189002)(377424004)(51444003)(199003)(93886004)(64706001)(21056001)(122556002)(76176999)(97736003)(4396001)(561944003)(20776003)(83506001)(15975445007)(19580395003)(46102003)(19580405001)(105586002)(230783001)(2656002)(86362001)(66066001)(50986999)(120916001)(36756003)(77156002)(40100003)(107046002)(68736005)(54356999)(102836002)(99396003)(101416001)(110136001)(62966003)(77096005)(106116001)(31966008)(106356001)(92566001)(74482002)(2950100001)(2900100001)(87936001); DIR:OUT; SFP:1101; SCL:1; SRVR:AMSPR03MB375; H:DBXPR03MB383.eurprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: rhul.ac.uk does not designate permitted sender hosts)
Content-Type: text/plain; charset="utf-8"
Content-ID: <8029F47B6EBA4A499E888E5B31AC46AA@eurprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:AMSPR03MB471;
X-OriginatorOrg: rhul.ac.uk
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/GGDePIIguyWM1yZHTTtqRIiwP9M
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Dec 2014 20:52:00 -0000
Dear Robert, I am going to respond to some of the early points in your message below on behalf of the chairs. Separately, Alexei will respond to some of the other points. Between us, we may not cover everything in your long e-mail. I apologise in advance if this is the case. On 14/12/2014 21:16, "Robert Ransom" <rransom.8774@gmail.com> wrote: >I second Watson Ladd's concern about the chairs' apparent preference >for adopting a document based on draft-black-rpgecc-00 instead of >draft-turner-thecurve25519function-01. Note that the documents are not directly comparable, as you seem to imply here. draft-turner-thecurve25519function-01 specifies a particular key-agreement scheme based on Curve25519. draft-black-rpgecc-00 specifies a curve generation method that can, inter alia, generate curves at a variety of security levels. Its output is not directly usable by implementors, of course, and more work would be needed by this group to take its output and make it suitable for delivery to the TLS WG, assuming that this is the direction CFRG wants to go in (an assumption I am not making at this stage, but something that I will happily admit that I do hope will happen given the way in which this group has been deadlocked for some time now). >By the authors' own public >statements, draft-black-rpgecc-00 was knowingly and intentionally In my opinion, this is unhelpful language. I believe that your arguments would have greater impact if you were to try to approach matters in a less inflammatory way. >technically inferior to draft-turner-thecurve25519function-01 in each >of the following ways: > >* draft-black-rpgecc-00 specifies a curve modulo the prime 2^255-19 > which is neither isomorphic nor isogenous to the widely deployed > Curve25519, and which thus is not compatible with the many existing > independent, interoperable implementations of ECDH on Curve25519. > This incompatibility is likely to prevent the reuse of much of the > implementation experience which Curve25519 has acquired. > > (<http://www.ietf.org/mail-archive/web/cfrg/current/msg05606.html> > and > <http://www.ietf.org/mail-archive/web/cfrg/current/msg05631.html>; > see also > <http://www.ietf.org/mail-archive/web/cfrg/current/msg05629.html> > and > <http://www.ietf.org/mail-archive/web/cfrg/current/msg05646.html> ><http://www.ietf.org/mail-archive/web/cfrg/current/msg05646.html%3E>) Whether this makes it technically inferior or not depends on your definition of "technical". Personally, I don't consider the existence of existing implementations for Curve25519 to be a *technical* issue. It's certainly a consideration for this RG in adopting the MGN proposal. Also, see my point immediately below. > >* draft-black-rpgecc-00 specifies a curve modulo the prime 2^255-19 > which introduces a security vulnerability into implementations of > ECDH (and some implementations of other protocols) which rely on the > simplest implementation strategy, i.e. the Montgomery ladder, which > does not exist for the existing, widely implemented and deployed > Curve25519. > > (<http://www.ietf.org/mail-archive/web/cfrg/current/msg05606.html>; > see also > <http://www.ietf.org/mail-archive/web/cfrg/current/msg05629.html> ><http://www.ietf.org/mail-archive/web/cfrg/current/msg05629.html%3E>) The chairs have asked MGN to address this weakness, and they have agreed to do so. This point will therefore soon be moot. > >* draft-black-rpgecc-00 does not state, in the text of the draft > itself, any algorithms to perform point addition or scalar > multiplication on the curves that it specifies. > > (<http://www.ietf.org/mail-archive/web/cfrg/current/msg05631.html> > states that this omission is a flaw in draft-black-rpgecc-00; > <http://www.ietf.org/mail-archive/web/cfrg/current/msg05637.html> > states that the omission of such algorithms is intentional) This is correct, but I don't believe it is relevant for a document that is focussed on curve generation. As noted above, if CFRG adopts this draft, then more work could be put into making it easily usable for implementors. That is an area where your evidently extensive experience of ECC implementation could be put to very great use. >* Section 10 (ŒIntellectual Property Rights¹) of draft-black-rpgecc-00 > makes a general statement about the IPR status of the curves > specified in the document. Although that is not a statement about > Œspecific IPR¹, which section 11 of RFC 3979 (BCP 79) explicitly > forbids, I believe that the IPR statement in draft-black-rpgecc-00 > raises some of the same concerns which section 11 of RFC 3979 states > as the rationale for forbidding IETF Documents and RFC Editor > Documents from including statements about Œspecific IPR¹. Thus, I > believe that section 10 of draft-black-rpgecc-00 is in violation of > BCP 79. The authors of draft-black-rpgecc-00 stated in the draft > that it was Œsubmitted in full conformance with the provisions of > BCP 78 and BCP 79¹. > > >In addition to the above flaws which were known to and intended by the >authors of draft-black-rpgecc-00 at the time that they submitted it, Again, your use of the word "intended" is unhelpful here. I can't speak for the authors of the draft, but I'd point out that the flaw is Relatively minor, leaks at most one bit of a private value, and only then in certain protocols. Yes, it would be preferable to avoid the defect if we can, but your message, more specifically, its somewhat hyperbolic language, might well lead experts to think that "the sky is falling". I'd urge you to exercise more restraint. >draft-black-rpgecc-00 omits several technical details of ECDH (the >precise point format and handling of Œinvalid¹ public-key bitstring >inputs) which the extensive implementation experience of Curve25519 >has shown are needed to ensure interoperability and forward >compatibility and to protect the privacy of users of ECDH >implementations on the Internet. >draft-turner-thecurve25519function-01 includes those technical >details. > Let me repeat. This is correct, but I don't believe it to be relevant for a document that is focussed on curve generation. > >Adopting draft-black-rpgecc-00 (or a revised version) as a CFRG >document, instead of (a version of) the previously existing >draft-turner-thecurve25519function-01, would raise two serious >concerns: > >* As Watson Ladd has noted, draft-black-rpgecc-00 would require more > effort, and thus more time, for CFRG to modify it into a useful > product than draft-turner-thecurve25519function-01 would. But draft-turner-thecurve25519function-01 only specifies a single ECDH algorithm for a single curve. And this is not what the RG has been asked to produce for recommendation to the TLS WG. Rather, we were asked for curves at different security levels (and implicitly, recommendations about how to use those curves to do key exchange and signatures). So substantial work would also be needed to turn draft-turner-thecurve25519function-01 into what the RG needs to produce. In short, you are comparing apples and aardvarks here. > >* Adoption of draft-black-rpgecc-00 would reward its authors, both by > crediting them as authors of CFRG's resulting document and by giving > them greater control over CFRG's product. It is inappropriate for > IETF to reward the authors of draft-black-rpgecc-00 for submitting a > document to CFRG that they knew to be inferior to a previous > submission. This is not about rewards. It's about meeting the request of the TLS WG. And I contend that it's not inferior to draft-turner-thecurve25519function-01, but a different beast entirely. > >The CFRG chairs have expressed a preference for adopting a version of >draft-black-rpgecc, instead of a version of >draft-turner-thecurve25519function. Given the above concerns, why do >the chairs believe that adoption of draft-black-rpgecc as a CFRG >document is in the best interests of CFRG and of the Internet as a >whole? See above. In summary: we believe that, with some modifications to enhance security (to which MGN have agreed), and additional work to provide guidance as to how to use these curves in specific algorithms (ECDH and signatures), we can produce a document (or documents) that meet(s) the request from the TLS WG. > >>I'm also surprised that we aren't using 2^389-21 for the same reasons >>cited for using 2^255-19. We do not need complete agreement to go >>forward. If we want a consensus result we'll still have gratuitous >>incompatibilities and an unforced loss of additional performance, in >>order to get one particular group on board. A process justified as >>being driven by technical criteria has devolved into an openly >>political horse trade, where we're supposed to be happy that the >>2^255-19 prime is used, and ignore the issues with 2^384-317. > >I second this concern as well. I have seen very little support in the >CFRG for the 384-bit curve specified in draft-black-rpgecc-00, and I >do not believe that the short discussion of 2^389-21 as a modulus for >elliptic-curve cryptography constitutes a consensus of CFRG or shows >that 2^389-21 is technically superior to or has implementation >experience comparable to 2^414-17 or 2^448-2^224-1 as moduli for ECC. > Here I agree with you that the specific prime 2^389-21 has not had much discussion and therefore not gained consensus in CFRG. But I'm not aware of any specific security or implementation concerns about it that would not also apply to other "sparse" primes. Can you point to some? For example, is there any reason to believe it will be any more difficult to make secure against side-channel attacks than other choices at roughly the same security level? Is it the case that the "implementation experience" that you cite for primes 2^414-17 or 2^448-2^224-1, or any other pseudo-Mersenne primes, would NOT transfer to this choice of prime? It would be really helpful to the group if you could be more specific in expressing your concerns here. > >I have a further concern regarding the intentional omission of point >addition and scalar multiplication algorithms from the text of >draft-black-rpgecc-00. I expect this *was* intentional on the part of the authors, given my assumption that it was their intention to provide a clean document that focusses on curve generation rather than low level details of their usage in cryptographic primitives. But reading on further in your message, I think you mean to imply something more sinister here. > >Instead of providing such algorithms in the text of the draft, >draft-black-rpgecc-00 lists <https://eprint.iacr.org/2014/130.pdf>, >which contains several scalar multiplication algorithms for those >curves, as an informative reference (listed as [MSR] in the draft). >(I reviewed each of the draft's references (non-RFC references were >accessed on 2014-12-10); no other document listed as a reference >contains a point addition algorithm for Edwards curves, and no other >document that I was able to retrieve contains a scalar multiplication >algorithm for any type of elliptic curve.) Perhaps the draft's authors would consider adding further references to the extensive literature on ECC implementation, particular papers by Dan Bernstein, Tanja Lange, and their co-authors (who have done so much to spur the development of elliptic curve cryptography in its modern form). However, I don't believe that's really the point here - this draft is about specifying curves, not operations for those curves. > >Mike Hamburg has informed the CFRG that he believes the fixed-base >scalar multiplication algorithm stated in [MSR] and used in Microsoft >Corporation's software implemented based on [MSR] is Covered by patent >US7602907. That patent is assigned to Microsoft Corporation, and thus >meets the conditions of section 6.6 of RFC 3979 (part of BCP 79) for >each employee of Microsoft Corporation or its subsidiary Microsoft >Research. > >I believe that patent US7602907, which Covers an algorithm to be used >in elliptic-curve cryptography, was Œreasonably and personally known¹, >as defined in BCP 79, to each Microsoft Corporation employee who >participated in this IETF Internet Standards Process regarding >elliptic-curve cryptography throughout their participation. > >Further, each of the authors of draft-black-rpgecc-00 has actually >known of patent US7602907, and of Mike Hamburg's belief that it Covers >an algorithm stated in [MSR] and used in Microsoft's software, since >no later than Mike Hamburg's public statement to CFRG on 2014-09-16. > >(<http://www.ietf.org/mail-archive/web/cfrg/current/msg05130.html> and ><http://www.ietf.org/mail-archive/web/cfrg/current/msg05132.html> ><http://www.ietf.org/mail-archive/web/cfrg/current/msg05132.html%3E>) > >It is troubling to me that the authors of draft-black-rpgecc-00 would >direct readers of their draft to [MSR] as the only source of point >addition or scalar multiplication algorithms for the curves specified >in the draft, given that they indisputably knew at the time that they >submitted the draft that [MSR] contains an algorithm which some of the >authors would clearly be required, by the text of section 6.1.1 of RFC >3979 (BCP 79), to provide an IPR disclosure for if they had included >it in the text of their draft. > > >Given the patent situation regarding [MSR], it is also troubling to me >that two of the intentional technical flaws of draft-black-rpgecc-00 Once again, I would request that you desist from the use of such strong language. Not only because it is unhelpful, but also because (I believe) it undermines the arguments you are trying to make. >-- incompatibility with existing Curve25519 software, and an >unnecessary security vulnerability in implementations based on the >simple Montgomery-ladder algorithm -- would have made readers of the >draft more likely to write new implementations of the curve specified >therein, and thus more likely to rely on the implementation guidance >provided in [MSR]. > > >I learned of this patent Covering an algorithm specified in [MSR] >during an off-list conversation that I initiated with Marsh Ray of >Microsoft Corporation on 2014-09-04. I placed Mike Hamburg, Alyssa >Rowan, and another person on the CC list of my message, with the >intent that they serve as witnesses to that off-list conversation. >Marsh Ray included Brian LaMacchia and Benjamin Black into that >conversation when he replied; Mike Hamburg and Alyssa Rowan also >participated in the conversation. > >I learned of patent US7602907 and its connection to [MSR] from Mike >Hamburg on 2014-09-08, in the course of that off-list conversation. >Marsh Ray, Brian LaMacchia, and Benjamin Black also received that >message on 2014-09-08, eight days before Mike Hamburg provided that >information to CFRG. I was not aware of any effort by those >participants to provide that information to CFRG. > >I believe that neither I nor CFRG would have learned of patent >US7602907 and its connection to [MSR] if I had not initiated that >off-list conversation, or if I had not included Mike Hamburg in that >conversation, or if Mike Hamburg had not previously performed a search >for patents relevant to ECC in order to write software that would not >be Covered by them. > If this is the case, then you will have made a useful contribution to the work of the group for which I would like to publicly thank you. However, I'd also point out - and I think this is key - that (based on my own reading of this patent, and heavily caveated by the usual disclaimers about none of us being lawyers) it's perfectly possible to implement the basic arithmetic procedures (point addition, scalar multiplication) and higher level algorithms (ECDH, signatures) for the curves produced by the MGN procedure (as for any other similar curves) without having to use any of the techniques that might be covered by this patent. After all, the curves it produces are Edwards form, or twisted Edwards form, so I would assume that the extensive code that is available under generous open source licences would be directly usable here. > >I have two questions on this matter for the CFRG chairs: > >* Do the chairs believe that it is ethically acceptable for the > authors of an Internet draft to > > (a) list as a reference a document which they authored themselves, > knowing that if they had included the contents of the > reference into the Internet draft itself, they would have been > indisputably required by section 6 of RFC 3979 (BCP 79) to > submit an IPR disclosure regarding that material; and I think that would be ethically unacceptable. But I don't believe it's what has happened here. > > (b) make other technical decisions in the contents of the Internet > draft which are likely to cause the draft's readers to rely on > the contents of the reference Covered by IPR? I think that would be ethically unacceptable. But I don't believe it's what has happened here. > >* Do the chairs believe that such conduct should be rewarded by > adoption of the resulting Internet draft as a group document? > It's not about rewarding any one or any organisation with anything. > > >Robert Ransom Regards, Kenny (on behalf of the chairs)
- [Cfrg] Consensus and a way forward Benjamin Black
- Re: [Cfrg] Consensus and a way forward Watson Ladd
- Re: [Cfrg] Consensus and a way forward Joppe Bos
- Re: [Cfrg] Consensus and a way forward Hannes Tschofenig
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] Consensus and a way forward Ilari Liusvaara
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Adam Langley
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Mike Hamburg
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] Consensus and a way forward Paterson, Kenny
- Re: [Cfrg] Consensus and a way forward Paterson, Kenny
- Re: [Cfrg] Consensus and a way forward Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alexey Melnikov
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Michael Hamburg
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Adam Langley
- Re: [Cfrg] Consensus and a way forward Lochter, Manfred
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Ilari Liusvaara
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tony Arcieri
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… D. J. Bernstein
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alyssa Rowan
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Benjamin Black
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Robert Ransom
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paul Hoffman
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alexey Melnikov
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Alexey Melnikov
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Harry Halpin
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paul Hoffman
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Watson Ladd
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tanja Lange
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Salz, Rich
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tony Arcieri
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Paterson, Kenny
- Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Conse… Tanja Lange
- Re: [Cfrg] Mishandling twist attacks Paterson, Kenny
- Re: [Cfrg] Mishandling twist attacks D. J. Bernstein
- Re: [Cfrg] Mishandling twist attacks Salz, Rich
- Re: [Cfrg] Mishandling twist attacks Stephen Farrell
- Re: [Cfrg] Mishandling twist attacks Adam Back