Re: [Cfrg] Meeting notes

[Ilari Liusvaara <ilari.liusvaara@elisanet.fi>]

On Mon, Mar 30, 2015 at 01:26:38PM +0300, Yoav Nir wrote:
> 
> > On Mar 28, 2015, at 4:39 PM, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
> > 
> > On Fri 2015-03-27 09:44:14 -0500, Yoav Nir wrote:
> >> Is that the same for AE?  Because if it is, you could just generate
> >> those parameters, stick them in the draft and be done with it (up to
> >> some NUMS claims that can be solved with a key generation ceremony
> >> that need happen only once.
> > 
> > I think this key generation ceremony is the part that people were
> > expressing concern about in the meeting.
> > 
> > It's not clear that we have a clear story about how to do this in a
> > reliable, future-proof way (that is, so that arbitrary people in the
> > future can easily refute any speculation that the original generation
> > procedure was somehow backdoored).
> > 
> > Many of us on this list can probably propose clever "performance art"
> > events that seem like they'd be likely to satisfy this property today
> > for most of us.  But if we aim for some set of parameters that will
> > still be used a generation from now, that seems harder to predict.
> 
> I’m not a big fan of performance art, but if the claims of 50x
>  performance gain are true, I think a lot of us will be willing
> to just through a lot of hoops to get it.  And I mean for all
> the Internet, not just SmartObjects.

I haven't really looked, but on surface the algorithm doesn't look to
be friendly for constant-time implementation. Matrix row or column
swaps are involved?

So constant-time implementation would likely be a lot slower (it could
still be much faster than ECC).

Modern CPUs and OSes are pretty ridiculously vulernable to timing
attacks. Even across VMs.


Another advantage: It uses medium primes, which are much
easier to work with than large primes (one can't use medium primes
with ECC due to weak fields). For CPU work, 2^31-1 looks to be pretty
convinient prime.


-Ilari