Re: [Cfrg] Adoption request: draft-hdevalence-cfrg-ristretto

Hi Filippo,

It's on the chair's "to do" list to reach out to the authors of that document and discuss the next steps. 

Thanks for your patience during the delay. There's a lot of CFRG docs in the works at the moment.

Regards

Kenny (for the chairs)

-----Original Message-----
From: Cfrg <cfrg-bounces@irtf.org> on behalf of Filippo Valsorda <filippo@ml.filippo.io>
Date: Wednesday, 24 July 2019 at 12:26
To: "cfrg@irtf.org" <cfrg@irtf.org>
Cc: "draft-hdevalence-cfrg-ristretto@ietf.org" <draft-hdevalence-cfrg-ristretto@ietf.org>
Subject: Re: [Cfrg] Adoption request: draft-hdevalence-cfrg-ristretto

    What are the next steps in discussing adoption of this draft?

    I believe it would be especially timely, as ristretto255 provides a
    better prime-order group than Curve25519 for OPRFs and PAKEs that are
    being discussed by this group.

    Moreover, Cas Cremers and Dennis Jackson recently published a new round
    of small subgroup attacks that would have been avoided by Ristretto
    adoption, as they mention in the paper.

    https://eprint.iacr.org/2019/526.pdf

    2019-05-18 00:22 GMT+02:00 Filippo Valsorda <filippo@ml.filippo.io>:
    > Hello,
    > 
    > I'd like to request for the group to adopt
    > draft-hdevalence-cfrg-ristretto for publication as an Informational RFC.
    > 
    > https://datatracker.ietf.org/doc/draft-hdevalence-cfrg-ristretto/
    > 
    > Ristretto255 is a prime-order group designed by Henry de Valence,
    > based on Mike Hamburg's Decaf. It provides a safe, efficient, and
    > implementor-friendly abstraction for a prime-order group, enabling safer
    > and simpler design of higher-level protocols. Its order is the same as
    > the prime-order subgroup of Curve25519.
    > 
    > Ristretto255 can easily be implemented on top of an existing Curve25519
    > library, and the authors are providing multiple implementations in
    > different languages: curve25519-dalek in Rust, by Isis Lovecruft
    > and Henry de Valence; curve25519-elisabeth in Java, by Jack Grigg;
    > ristretto255 in Go (implemented clean-room from the spec),
    > by George Tankersley and myself; and ristretto-donna (forthcoming) in
    > C, by Isis Lovecruft. We are also aware of other implementations we
    > have not personally tested for interoperability, including one in Frank
    > Denis's libsodium.
    > 
    > https://github.com/dalek-cryptography/curve25519-dalek
    > https://github.com/cryptography-cafe/curve25519-elisabeth
    > https://github.com/gtank/ristretto255
    > 
    > Importantly, ristretto255 is a flexible abstraction, and can be
    > implemented with different, more efficient curves than Curve25519. The
    > draft only provides implementation details for a Curve25519 backend,
    > but it defines the interface contract which is required of compliant
    > implementations, allowing alternate backends.
    > 
    > The group has already been adopted by some higher level protocols,
    > including Bulletproofs by Chain, and has been subject of discussion on
    > this list, including some good posts by Tony Arcieri. More information
    > is available at https://ristretto.group and in the draft, and the
    > authors and I are available to answer questions.
    > 
    > Best, Filippo
    >

    _______________________________________________
    Cfrg mailing list
    Cfrg@irtf.org
    https://www.irtf.org/mailman/listinfo/cfrg