Re: [Cfrg] ECC reboot (Was: When's the decision?)

Watson Ladd <watsonbladd@gmail.com> Sat, 18 October 2014 14:57 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BF851A888E for <cfrg@ietfa.amsl.com>; Sat, 18 Oct 2014 07:57:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tdGKp9Mq5tQM for <cfrg@ietfa.amsl.com>; Sat, 18 Oct 2014 07:57:00 -0700 (PDT)
Received: from mail-yh0-x234.google.com (mail-yh0-x234.google.com [IPv6:2607:f8b0:4002:c01::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D8F91A0381 for <cfrg@irtf.org>; Sat, 18 Oct 2014 07:56:59 -0700 (PDT)
Received: by mail-yh0-f52.google.com with SMTP id f10so1134833yha.11 for <cfrg@irtf.org>; Sat, 18 Oct 2014 07:56:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zSjH3USzmqgIiw5qH+xdgE/a7YI2wJOw4EsKyT47xqs=; b=pPWKziHmXVx+nkOL3/barkm09JVO/Bc/r6N0GaV/Bi0tQfqncCi8zfVadKhv3Du9z3 lftbWUS5wDjIByuxh4VmWc/sF8swKHZ8avNTRuPQdSSd/GVq+CJrfREYWhatviIHR30I T6CP90LE3MRymRhKghvwo5GveIPIBNH1vLlQrOFnIwUpS4NZlOTOYTEbitlkBiJCnBBo SFN9J8kgpMu4iRNqP9DA6416NEF8GDrK1hWg4/qg4PVda8mrcZIkrmM7NbBCx91EA2yX 2OnyETR73halp7+A3AyhLoal5M+JPhWNz5POiwpXw5EaWlx9ICLjdtWL5ECk3TdiBhW2 5HPA==
MIME-Version: 1.0
X-Received: by 10.236.53.69 with SMTP id f45mr22490919yhc.65.1413644219247; Sat, 18 Oct 2014 07:56:59 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Sat, 18 Oct 2014 07:56:59 -0700 (PDT)
In-Reply-To: <D065A817.30406%kenny.paterson@rhul.ac.uk>
References: <D065A817.30406%kenny.paterson@rhul.ac.uk>
Date: Sat, 18 Oct 2014 07:56:59 -0700
Message-ID: <CACsn0c=aW2dmmTmqhkvZ7FWWAjFDu2ZPKW1oY4h2+KJ-wdv8iw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "Paterson, Kenny" <Kenny.Paterson@rhul.ac.uk>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/Wzii2n-wZziWNpOftyOO3KJMYhk
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] ECC reboot (Was: When's the decision?)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Oct 2014 14:57:02 -0000

On Thu, Oct 16, 2014 at 9:08 AM, Paterson, Kenny
<Kenny.Paterson@rhul.ac.uk> wrote:
> Dear all,
>
> Watson rightly pointed out that we are far behind the originally
> advertised schedule for our process for selection of curves to recommend
> to the TLS WG. Other parties in and beyond IETF are waiting on our
> recommendations too.
>
> The reasons for the delay are quite complex, and I won't go into reviewing
> them here. Suffice to say we've had a lot of really informative technical
> discussion about performance of the different options, benchmarking, etc,
> so the slippage has not exactly been wasted.
>
> Our first task should be to finalise the requirements that we will use to
> guide the selection process. I think we are close, with a couple of
> outstanding issues:
>
> 1. Amount of "wiggle room" that should be permitted.
>
> 2. A more nuanced set of hardware requirements.
>
>
> I suggest we use the next *week* to try to finalise the requirements, and
> then November to evaluate the candidates that we currently have (along
> with any new candidates that might emerge) against the final set of
> requirements.
>
> With this schedule, we'd miss the IETF 91 meeting for our decision, but I
> don't think having our answer by mid-Novmeber is really feasible. We
> should certainly be able to deliver an early Christmas present to the TLS
> WG.
>
> To make this work, we'd need the RG to focus on the requirements for a
> short additional period of time.
>
> So here's a proposal for a new schedule which I believe to be feasible:
>
> 24/10/14 (1 week from now): we finalise requirements, including hardware
> requirements.
> 31/10/14 (2 weeks from now): we agree on whatever benchmarking system
> we're going to use for performance measurements. (Right now, supercop
> seems like the front runner to me.)
> 30/11/14 (6 weeks from now): we deliver our recommendations to the TLS WG.
>
> Could people let me know if this looks workable, within the next 24-48
> hours? Meantime, I'll send a message indicating where things stand on the
> requirements list.

This looks workable, assuming the requirements doesn't become settling
the issue of point formats. (This seems to have quieted down, but
probably out of exhaustion rather than agreement) If we give ourselves
the month to do that, I think this makes sense. (Waiting around for
benchmark results can easily be done while doing other things)

I second the recommendation for Supercop: it has very good diversity
of systems, easy to develop for, and already contains many contenders.
Sadly, my P256 entry clearly needs work: the reference implementation
is outperforming it on many CPUs! (This is probably due to the lack of
a precomputed table of points for basepoint multiplications, or having
the wrong window size, or some other similar issue: I'll investigate
further) A state of the art P256 implementation and P384
implementation would make comparing the benefits of the new curves
easy.

One feature I would like to see is an easy way to plot multiple
different primitives on the same graph, across machines. Reading the
numbers from the per machine charts and accumulating them manually
gets tired fast, and the graphs with all primitives are very crowded,
including primitives that while fast are not on the table (for odd
reasons: we should be able to work out a way to put Kummer surfaces
into TLS to reduce CPU costs)

Sincerely,
Watson Ladd
>
> Thanks
>
> Kenny
>
>
> On 06/10/2014 16:26, "Watson Ladd" <watsonbladd@gmail.com> wrote:
>
>>Dear all,
>>We were promised on July 27 a process running for 6 weeks. Doubling I
>>get 12 weeks, which is three months, of which two (August, September)
>>have already gone. Am I correct in supposing that we're on track for a
>>decision by Halloween?
>>
>>If we aren't, what remaining issues need to be addressed/when can we
>>expect a decision?
>>
>>Sincerely,
>>Watson Ladd
>>
>>_______________________________________________
>>Cfrg mailing list
>>Cfrg@irtf.org
>>http://www.irtf.org/mailman/listinfo/cfrg
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin