Re: [Cfrg] On process (was Re: Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd))

Watson Ladd <> Tue, 24 February 2015 22:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6D1771A6FEB for <>; Tue, 24 Feb 2015 14:34:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a7SGQ9PImrwM for <>; Tue, 24 Feb 2015 14:34:03 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400d:c01::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A16A91A6FE7 for <>; Tue, 24 Feb 2015 14:34:02 -0800 (PST)
Received: by qcvx3 with SMTP id x3so48899qcv.5 for <>; Tue, 24 Feb 2015 14:34:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vxVUAH03I+sEX/8Jyy/A1VhiS6krmDY4eoeCoREy3Go=; b=giWEZQEWMiwSZO+2Jn3NQ7nGIt4Cma08oKqEERJAXEshoRjTy10aZyBnfNZxNJuN0D FQ0PAy6+1pYDD5u6HAdWkQCqZzE+YtB3nfHEi9eUuA9bXTttCPgGeSex2r1GnT3Hcui0 pPGYTtMV+AvRWp5Wv6QMUZZXvSSSFngQ3dRFY8NV4Gmckc1Gz7kdM+E/gL7RWDrehi7S 9MhdyPY82gfReQnPceVdRKSltWEW3cxz/CrtTHL/VMLKvG2bnGNYqOtWPsSfe4N0W9JT 5Jx/QEI3cUTHBBlzM1S6BCnVKs+VilmH3bxb6Vd7UccHPRIkfYRvCe8wHkx+fHMM9X8r eLwg==
MIME-Version: 1.0
X-Received: by with SMTP id 63mr309171qht.35.1424817241818; Tue, 24 Feb 2015 14:34:01 -0800 (PST)
Received: by with HTTP; Tue, 24 Feb 2015 14:34:01 -0800 (PST)
Received: by with HTTP; Tue, 24 Feb 2015 14:34:01 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Tue, 24 Feb 2015 14:34:01 -0800
Message-ID: <>
From: Watson Ladd <>
To: Alexey Melnikov <>
Content-Type: multipart/alternative; boundary="001a1135547e918e4c050fdd1d30"
Archived-At: <>
Subject: Re: [Cfrg] On process (was Re: Elliptic Curves - poll on specific curve around 256bit work factor (ends on February 23rd))
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Feb 2015 22:34:05 -0000

On Feb 24, 2015 1:06 PM, "Alexey Melnikov" <>
> On 23/02/2015 06:46, Watson Ladd wrote:
>> On Sat, Feb 21, 2015 at 5:40 AM, Paterson, Kenny
>> <> wrote:
>>> Hi Alyssa,
>>> On 20/02/2015 20:15, "Alyssa Rowan" <> wrote:
>>>> Hash: SHA512
>>>>> [TA] Have you considered doing a poll of what specific curves
>>>>> people actually want to use?
>>>>> [PHB] [Š] your poll [Š] rather undercuts the whole process.
>>>> Strongly agreed.
>>>>> [KP] Yes, we considered a number of different ways of narrowing
>>>>> down our choices. However, we settled on doing it this way. Please
>>>>> stick with us.
>>>> With the greatest respect, if upstream and external parties were
>>>> willing to tolerate undocumented decisions by editor/chair fiat,
>>>> they'd stick with the NIST curves, wouldn't they?
>>> I think you have to give the chairs some room to make decisions in order
>>> to help move things forward. We've been rightly criticised for not doing
>>> that in recent months, and now we are trying to do better. So cut us
>>> slack, please.
>>> Yes, we could have first run a "meta poll" to ask the group what kinds
>>> questions they wanted to be asked, or what the topics of the questions
>>> should be, but I think that would only have led to dismayed comments
>>> other participants saying we were not providing enough direction or
>>> leadership (but Alexey and I are by now well aware that chairs cannot
>>> please all of the people any of the time, and some of the time we do not
>>> please anyone; for us, it goes with the territory).
>> Chairs could avoid making promises about the process they don't end up
>> keeping. I would say that's the single biggest reason chairs got
>> criticised.
> I think the only promise that we made (timeline promises notwithstanding)
is that we do a series of polls to narrow down choices of curves and other
issues that are needed to finish EC recommendations (signature scheme,
coordinate system, Endianness of what goes on the wire, etc.)
>>>> We were asked because publicly-documented technical consensus, not
>>>> guided by any one party, is very highly desirable.
>>> But then what to do if there is no consensus? This appeared to be the
>>> on the specific question of whether we should stick to "traditional
>>> of 2" security levels or not.
>> But we're already using voting to decide other issues on which there
>> was no consensus: why is the Goldilocks issue so special?
>> You could have had long discussions about which point formats to use,
>> and decided to use one. You could have done the same for signatures.
> And have you read my message asking to stay on topic and which topics are
coming next? If you did, you would have known that these questions are

I did read that email. I'm not objecting to that aspect, just the exclusion
of a single proposal.  It's moot as chairs seem to have backed down from
this exclusion.

The process, or what little there was, has evolved from picking proposals
to full blown design by committe.

>> But the only aspect that's being formally decided upon by the chairs
>> is security levels: why? And not even security levels, just a decision
>> to exclude three candidate curves.
>> I could understand making the entire decision. I could understand
>> voting in various forms. But I don't understand why this particular
>> decision is being made by chairs, and not others.
> Chairs pick questions in order to help CFRG move forward on the EC topic.
We are not perfect and for that I apologise. Suggestions for better
questions are welcome, but please do it without starting a flame war (hint:
either ask privately or ask nicely on the mailing list).

There's a difference between asking poll questions and making decisions.
I'm not objecting to either, just doing one and calling it the other, and
then hiding the fact that you did so.

As for poll questions how about "rank primes in your preference order".
People answered it anyway.

For ECDH we have six possible choices based on model and compression, plus
some more oddball proposals. I'd recommend asking everyone to rank them
all, and find something broadly acceptable.

For signatures we've got ECDSA, Franken-ECDSA, and EdSA. I would ask for a
full rank instead. I don't think we need to consider public key format
separately here.

As for endianess I would recommend sticking with existing implementations
and not conducting a poll.

This avoids issues where some votes condition others in weird ways.

Watson Ladd