Re: [Cfrg] Results of the poll: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

Benjamin Black <b@b3k.us> Thu, 05 March 2015 23:54 UTC

Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25BFE1A909A for <cfrg@ietfa.amsl.com>; Thu, 5 Mar 2015 15:54:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p571WMtF7oCS for <cfrg@ietfa.amsl.com>; Thu, 5 Mar 2015 15:54:52 -0800 (PST)
Received: from mail-ie0-f180.google.com (mail-ie0-f180.google.com [209.85.223.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B74491A9090 for <cfrg@irtf.org>; Thu, 5 Mar 2015 15:54:51 -0800 (PST)
Received: by iecrp18 with SMTP id rp18so13474155iec.10 for <cfrg@irtf.org>; Thu, 05 Mar 2015 15:54:51 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=31K/aL9OKfHmISKohd3jYSzmfthznHVSxNG+heCRloA=; b=f8f/SXHZsYYAQ2XiltCnciW5ythSPgs73I0QYImY7nBuGBLWFeNvF3I5mxtL2Wd1Tf zagU/Pvkpd+QbqFzvMluTJ+ijv/+wDPQYLAu0M+UueKSEtiQlVbSliS7PCMkEJBCIWTZ jnzGFy35F0+HAT6pnoEZcRI/WiA3XTjOcD/sJHbonz33ytM2BWNZafcVFTtXR5D+h03l eDWYm+J1DI6tlhpHL8/4fTFEW9vC8hFq97uAct0L961DRQJnzevVmzpqWkebBg/4Inim 048JHhsIY4xPgAf8XNaoIVJ8jihTl6dVueCs5iJBWXQTT+Lxjnhbl0wkQcaIXBeY8Vg+ U0Pw==
X-Gm-Message-State: ALoCoQk1JBTU94x++S0fiJJ8Hafb5d5VUELmf3gQHz7/QtJQRc29i06x17MQUh0V7lriLnqY+X4N
X-Received: by 10.42.85.82 with SMTP id p18mr6968690icl.58.1425599691120; Thu, 05 Mar 2015 15:54:51 -0800 (PST)
MIME-Version: 1.0
Received: by 10.36.28.145 with HTTP; Thu, 5 Mar 2015 15:54:30 -0800 (PST)
In-Reply-To: <7FFDF55A-61BC-4114-9E8B-F23E43C42426@shiftleft.org>
References: <54EDDBEE.5060904@isode.com> <54F8E2B1.80304@isode.com> <CA+Vbu7y-6ocP9yPrYYVmSGyboHQvLzQFonzkejwE4jxOs0ww6A@mail.gmail.com> <7FFDF55A-61BC-4114-9E8B-F23E43C42426@shiftleft.org>
From: Benjamin Black <b@b3k.us>
Date: Thu, 05 Mar 2015 15:54:30 -0800
Message-ID: <CA+Vbu7w5=RMxjidsbrC15kjzEea=8=eLFyHw6ZXLaMCf03seNQ@mail.gmail.com>
To: Michael Hamburg <mike@shiftleft.org>
Content-Type: multipart/alternative; boundary="20cf303348752e7fd10510934b69"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/TKQqbwo3D3y_mJz_fQ5Fy98hVFs>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Results of the poll: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 23:54:55 -0000

As you say, it would be equally a problem for every curve, which was my
argument repeatedly rejected by Alyssa and Robert. As they have never made
a statement, public or private, of which I am aware withdrawing their
assertions, I can only assume they still believe what they said. If they
would like to pipe up and explain that they no longer hold those views
that'd be swell.

I cannot comment on Microsoft as I am no longer there.


On Thu, Mar 5, 2015 at 3:41 PM, Michael Hamburg <mike@shiftleft.org> wrote:

> Hi Benjamin,
>
> Robert Ransom was concerned about Microsoft’s paper and code release
> possibly containing material based on the patent US7602907.  This wasn’t
> particularly to do with the curve, but with the combs algorithm for fast
> fixed-point multiplications.  If this is a problem with any curve, it’s
> equally a problem for (implementations of) every curve.  I believe that
> Robert was motivated in this pursuit by a deep-seated conviction that
> Microsoft was trying to pull something shady, but Alyssa and I just want to
> make sure that the patent landscape is clear so that nobody infringes by
> accident.
>
> Since my code uses signed all-bits set combs, and if I understand
> correctly your patent specifically covers modified LSB-set combs, I don’t
> believe that my implementation has patent problems.  Again, this is a
> property of the implementation and not of the curve.
>
> I asked if you and/or the Microsoft legal team concurred with this
> analysis.  You said that your team was unaware of the patent and didn’t use
> it intentionally, but that you would ask legal if it happened to be
> covered, and whether they thought the Goldilocks code might be affected.
> Nearly 6 months have passed and we haven’t heard anything from legal.  Do
> you have an update for us?
>
> Cheers,
> — Mike
>
> On Mar 5, 2015, at 3:22 PM, Benjamin Black <b@b3k.us> wrote:
>
> What happened to the earlier, vigorous arguments by Robert Ransom, Alyssa
> Rowan and Mike Hamburg that Goldilocks448, and perhaps all of the curves
> based on large primes, would be covered by Microsoft IP?
>
> On Thu, Mar 5, 2015 at 3:11 PM, Alexey Melnikov <alexey.melnikov@isode.com
> > wrote:
>
>> On 25/02/2015 14:27, Alexey Melnikov wrote:
>>
>>> CFRG chairs are starting another poll:
>>>
>>> Q3: This is a Quaker poll (please answer one of "preferred",
>>> "acceptable" or "no") for each curve specified below:
>>>
>>> 1) 448 (Goldilocks)
>>> 2) 480
>>> 3) 521
>>> 4) other curve (please name another curve that you "prefer" or "accept",
>>> or state "no")
>>>
>> Thank you for all responses.
>>
>> 521 - 6 preferred, 14 - acceptable
>> 448 - 16 preferred, 4 - acceptable
>>
>> Very few prefer others (512 NUMS, 480).
>>
>> So CFRG prefers curve 448.
>>
>>>
>>> If you stated your curve preferences in the poll that ended on February
>>> 23rd (see the attachment), you don't need to reply to this poll, your
>>> opinion is already recorded. But please double check what chairs recorded
>>> (see the attachment).
>>>
>>> If you changed your mind or only answered the question about performance
>>> versa memory usage for curves 512 and 521, feel free to reply.
>>>
>>> Once this issues is settled, we will be discussing (in no particular
>>> order. Chairs reserve the right to add additional questions) implementation
>>> specifics and coordinate systems for Diffie-Hellman. We will then make
>>> decisions on signature schemes. Please don't discuss any of these future
>>> topics at this time.
>>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>
>
>