Re: [Cfrg] The Mythical Kevin Igoe

Watson Ladd <> Fri, 27 December 2013 01:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7627F1AE5C5 for <>; Thu, 26 Dec 2013 17:17:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1nu2gY51pAeE for <>; Thu, 26 Dec 2013 17:17:06 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c05::22c]) by (Postfix) with ESMTP id 84B971AE0CA for <>; Thu, 26 Dec 2013 17:17:06 -0800 (PST)
Received: by with SMTP id en1so13850061wid.17 for <>; Thu, 26 Dec 2013 17:17:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SOF7PBbH41WOfj5VA/Xb1JmiDn94hSN2weZ/nukEVFg=; b=vsancQlS0gDA162gH2tiNFPn6Zx85u/sPJ2phe1F4igmrHtSnsOIn2CR4MJkwvyW7B 6IyQv+sNbKBBbhJcu87+RUoPJ8cfgjDBie/3WkE3vbHDYT4G59PqzS1F4auOqAI1JpaC S/m9Lz5LgUB5pxG/IAjpybf/ihaG3x3Xly02TcHpVc2kjjg29zYy2tbv4Jiw6slZIaxZ bXoQB6oVnNynudHSaRgpUXSOzVv4RIsa/01vlTJ+LyYeYhLM8xNHSbeagoI90lfZJjyj Ik+BA9aU1rJw4yhbqC/TZuDJjzXYb+I6qDbTx+nmZxhYAzEmQbfDHUFMCJgX6feFbUf6 XBow==
MIME-Version: 1.0
X-Received: by with SMTP id k18mr31319989wic.44.1388107021514; Thu, 26 Dec 2013 17:17:01 -0800 (PST)
Received: by with HTTP; Thu, 26 Dec 2013 17:17:01 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Thu, 26 Dec 2013 20:17:01 -0500
Message-ID: <>
From: Watson Ladd <>
To: "Igoe, Kevin M." <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [Cfrg] The Mythical Kevin Igoe
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 27 Dec 2013 01:17:08 -0000

Dear Mr. Igoe (and everyone else),
First off congratulations on your daughter's graduation. I'm sure
everyone here wishes her great success.

That said, I think your email raises more questions than answers, at
least in my head:
(Message numbers are in the CFRG archive)

On 15 October 2012 you asked us to look at dragonfly.

On 4 April 2013 you wrote email msg03264, stating that you wanted to
put out a last call on Dragonfly.
This email received no responses.

On 7 Dec 2013 the TLS Last Call on Dragonfly began. Joseph Salowey
indicated the CFRG had
reviewed the protocol with "satisfactory results".

On 13 Dec 2013 you wrote email msg03258, reiterating the last call and
looking for input. This time you mentioned
that TLS was working on it, which none of your previous emails had.
This sparked a flurry of analysis, culminating in an email by you
acknowledging a 2^{-40} chance
(in a reasonable model) of dragonfly leaking the password due to
failure to find a point. This
was in the version of dragonfly the TLS WG was considering.

The CFRG had not only not found any problems, it hadn't analysed
dragonfly at all. The better answer would be "no one has
analysed it". But of course, there are hundreds of protocols: everyone
only cares about ones that actually get used. When the
group actually looked at dragonfly, problems quickly appeared.

Why was no response taken as indicative of a positive analysis? Given
that this request came from the most important
WG in the security area (the only one with millions of dollars
entrusted to it globally), why was this not indicated as
a high priority?

It's become clear to me that these are symptoms of problems much
deeper than what appears in retrospect to be one chair's inartful
words when describing a lack of results. Despite an initial 2005 burst
of activity, including participation by some of the best
in the world, today's CFRG does not seem to be effective in adding
cryptographic expertise to WGs requesting it.

What do you feel should be done to address this issue?

Lastly, one note about primatives: primatives aren't the problem,
protocols are. I've harped on this point often, but the "party line"
the IETF that the CFRG doesn't do protocols is ridiculous. What do you
think cryptographers do when they talk about MPC or key agreement?
Does the IETF have a problem picking ciphers, or doing the right thing
with them?
(Ex officio, do you think we should demand formal proofs of protocols
before us, or should we continue with the "looks good to me"
Watson Ladd