Re: [Cfrg] tentative agenda for CFRG at IETF 89

[David McGrew <mcgrew@cisco.com>]

Hi Robert,

On 02/27/2014 10:17 PM, Robert Ransom wrote:
> On 2/27/14, David McGrew <mcgrew@cisco.com> wrote:
>
>> The TLS WG has asked for the CFRG opinion on ChaCha+Poly1305.    We also
>> should be offering an opinion on the new ECC mechanisms.   Some
>> questions for you: should we take on draft-ladd-safecurves-03 as an RG
>> draft?
> I strongly oppose adoption of draft-ladd-safecurves-03 as an RG draft or an RFC:
>
> * In draft-ladd-safecurves-00, the ‘author’ merely copied a pile of
> curve equations into an I-D and tried to pass it off as his own useful
> contribution.  draft-ladd-safecurves-03 still takes a fundamentally
> wrong approach in specifying several specific curves, when what is
> needed is a document describing how the whole class of Montgomery and
> Edwards curves is currently used and can be used in future
> applications.
>
> * It repeatedly claims to specify a ‘standard’ for ECC on those
> curves; however, the draft is ‘Informational’, and it specifies point
> formats for Curve25519 which are deliberately incompatible with the
> existing standard practices among implementations.  Thus, it is
> attempting to specify a new ‘standard’ in a non-standards-track
> Internet document, in clear defiance of IETF policy.
>
> * It contains several factual inaccuracies.
>
> * It takes a condescending tone toward implementors, while omitting
> critical details needed to apply what little information it provides
> to other Montgomery and Edwards curves.
>
> * None of the text of the draft explains any aspect of the use of
> Montgomery and Edwards curves or any background information in a
> useful level of detail.  It is not useful even as a starting point for
> an RFC on this topic.
>
> * The author has repeatedly disregarded advice from other RG members
> regarding this draft, usually with unnecessary hostility.  I have not
> yet seen any reason to believe that he will change his behaviour.  If
> he is chosen as the editor of an RG document at this time, I will not
> waste my effort on attempting to contribute to it.

That makes your position clear.

>
>
> I have nearly finished writing a relatively elementary exposition of
> the background in abstract algebra and (Weierstrass-form) elliptic
> curves needed to properly explain Montgomery and Edwards curves and
> their use in cryptography.  I intend to send it to the CFRG mailing
> list either tonight or tomorrow for review.  After that, the portion
> of a document describing Montgomery and Edwards curves themselves (as
> currently used) should be relatively easy.

Thanks for the offer to contribute here.

>
>> Should we recommend its adoption in TLS?
> draft-ladd-safecurves is not needed in order to adopt Curve25519 for use in TLS.
>
> Dr. Bernstein's Curve25519 paper specifies the existing standard for
> scalar multiplication on Curve25519 in sufficient detail to serve as a
> normative reference for RFCs specifying its use in ECDH in IETF
> protocols.  I believe that Curve25519 should be recommended for
> adoption in TLS, and that a future version of
> draft-josefsson-tls-curve25519 (which addresses the comments made on
> the TLS list regarding the (current) -04 version) will be suitable for
> publication as an RFC.

I am wary of relying on the curve25519 paper as a normative reference.   
Perhaps your goal here is to provide an informational document (the 
draft that you mention above) that offers implementation guidance, 
instead of a normative reference?

David

>
>
> Robert Ransom
> .
>