Re: [Cfrg] Meeting notes
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 30 March 2015 10:45 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA8AE1ACDB9 for <cfrg@ietfa.amsl.com>; Mon, 30 Mar 2015 03:45:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLKmZW3QTXRI for <cfrg@ietfa.amsl.com>; Mon, 30 Mar 2015 03:45:08 -0700 (PDT)
Received: from emh04.mail.saunalahti.fi (emh04.mail.saunalahti.fi [62.142.5.110]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40DBD1ACDB8 for <cfrg@irtf.org>; Mon, 30 Mar 2015 03:45:08 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh04.mail.saunalahti.fi (Postfix) with ESMTP id BFFBC1A262F; Mon, 30 Mar 2015 13:45:05 +0300 (EEST)
Date: Mon, 30 Mar 2015 13:45:05 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Yoav Nir <ynir.ietf@gmail.com>
Message-ID: <20150330104505.GA11195@LK-Perkele-VII>
References: <CAHOTMVKUyNsA7ux4epk8LwR0w0Eh7dh0G3xTXB3O9m8jQPS3EQ@mail.gmail.com> <0C65868C-1725-4B32-A562-62C9DF36A956@gmail.com> <c65696d44c65b12478532bcb01fb2ef3.squirrel@mail2.ihtfp.org> <94D99ECB-98CA-4D25-897D-BA4BA8178409@gmail.com> <87y4mhtf5a.fsf@alice.fifthhorseman.net> <F7CF0AB9-4F3E-4FD4-B4D2-2F5172CB4BF2@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <F7CF0AB9-4F3E-4FD4-B4D2-2F5172CB4BF2@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/YI6oUPiWXaw8kRfWppDS5lm1gek>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Meeting notes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 10:45:10 -0000
On Mon, Mar 30, 2015 at 01:26:38PM +0300, Yoav Nir wrote: > > > On Mar 28, 2015, at 4:39 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote: > > > > On Fri 2015-03-27 09:44:14 -0500, Yoav Nir wrote: > >> Is that the same for AE? Because if it is, you could just generate > >> those parameters, stick them in the draft and be done with it (up to > >> some NUMS claims that can be solved with a key generation ceremony > >> that need happen only once. > > > > I think this key generation ceremony is the part that people were > > expressing concern about in the meeting. > > > > It's not clear that we have a clear story about how to do this in a > > reliable, future-proof way (that is, so that arbitrary people in the > > future can easily refute any speculation that the original generation > > procedure was somehow backdoored). > > > > Many of us on this list can probably propose clever "performance art" > > events that seem like they'd be likely to satisfy this property today > > for most of us. But if we aim for some set of parameters that will > > still be used a generation from now, that seems harder to predict. > > I’m not a big fan of performance art, but if the claims of 50x > performance gain are true, I think a lot of us will be willing > to just through a lot of hoops to get it. And I mean for all > the Internet, not just SmartObjects. I haven't really looked, but on surface the algorithm doesn't look to be friendly for constant-time implementation. Matrix row or column swaps are involved? So constant-time implementation would likely be a lot slower (it could still be much faster than ECC). Modern CPUs and OSes are pretty ridiculously vulernable to timing attacks. Even across VMs. Another advantage: It uses medium primes, which are much easier to work with than large primes (one can't use medium primes with ECC due to weak fields). For CPU work, 2^31-1 looks to be pretty convinient prime. -Ilari
- [Cfrg] Meeting notes Tony Arcieri
- Re: [Cfrg] Meeting notes Yoav Nir
- Re: [Cfrg] Meeting notes Derek Atkins
- Re: [Cfrg] Meeting notes Yoav Nir
- Re: [Cfrg] Meeting notes Derek Atkins
- Re: [Cfrg] Meeting notes Watson Ladd
- Re: [Cfrg] Meeting notes Daniel Kahn Gillmor
- Re: [Cfrg] Meeting notes Johannes Merkle
- Re: [Cfrg] Meeting notes Yoav Nir
- Re: [Cfrg] Meeting notes Ilari Liusvaara
- [Cfrg] (on Algebraic Eraser) Re: Meeting notes Rene Struik
- Re: [Cfrg] (on Algebraic Eraser) Re: Meeting notes Derek Atkins
- Re: [Cfrg] (on Algebraic Eraser) Re: Meeting notes Nico Williams
- Re: [Cfrg] Meeting notes Nico Williams
- Re: [Cfrg] (on Algebraic Eraser) Re: Meeting notes Rene Struik
- Re: [Cfrg] (on Algebraic Eraser) Re: Meeting notes Nico Williams
- Re: [Cfrg] Meeting notes Derek Atkins
- Re: [Cfrg] Meeting notes Alexey Melnikov