Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]

Benjamin Black <b@b3k.us> Tue, 02 December 2014 05:06 UTC

Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B94C91A00D8 for <cfrg@ietfa.amsl.com>; Mon, 1 Dec 2014 21:06:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lw3zk31nFhWu for <cfrg@ietfa.amsl.com>; Mon, 1 Dec 2014 21:06:37 -0800 (PST)
Received: from mail-wi0-f180.google.com (mail-wi0-f180.google.com [209.85.212.180]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFDCD1A0089 for <cfrg@irtf.org>; Mon, 1 Dec 2014 21:06:36 -0800 (PST)
Received: by mail-wi0-f180.google.com with SMTP id n3so19679214wiv.7 for <cfrg@irtf.org>; Mon, 01 Dec 2014 21:06:35 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=HgFEvgRjZ1d5M42/q10xhxKfDXHmTmEoNmDYWZXyEfU=; b=DoEsqPj/F+xm2fz+NZeqUrlgFZ18/WPBRb1TO5CWV3JAPF8u+092Ggu3zgUXsQ/4Tc Ea3ohmcl9+2nVdz0Zd/8BrxczvY/BbfWfCdPzjYxqdOLKDymOo329xp2YuZj2nKc7yyW POmWR6HEaYlnkTF5pwsQnXDODfJId7yUc97Xc4XggxX02RlRg4jyoMLsUm2OxpP/1EmX Vm64c6dmiVszyBmxNokY4/pqhIFFBk2396zmWJMZuPsYz4Sf3gSmrTzqrdXciqdQIOwV A/PvF0XZ2jG4p/G9E/u9BDXgvV++i+dzrRyzsw47fyJqjKPbr1hOb88c/06Xobet/O/s Gizw==
X-Gm-Message-State: ALoCoQntbgt/+0Spu8YSNQnKhIVsydKQ1EcWGVqbNkNnBNr0hx1xgvMnSC4ub66G+6lmntNALACi
X-Received: by 10.180.211.108 with SMTP id nb12mr90676328wic.76.1417496795483; Mon, 01 Dec 2014 21:06:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.217.191.195 with HTTP; Mon, 1 Dec 2014 21:06:15 -0800 (PST)
In-Reply-To: <CAHOTMVJi2N8vg=eB-sKRPmTWPk3gKYXdbdu-N65veBUQjJishA@mail.gmail.com>
References: <CA+Vbu7xvvfRWyqyE9sqU7VbjzNQZp+DwRWjaV3Lw0hjLr8ye1A@mail.gmail.com> <5476CB73.7090206@akr.io> <CAMfhd9XxkZsVPMcevWOgvvqbBK0JqLVCGBYfwWu0QFO5rsfbJQ@mail.gmail.com> <CABqy+sodVBbwNrA28AFxYMiw5rJxtUX3cbYCjtrYxK-48Ocd6A@mail.gmail.com> <CAMfhd9VF784rJ5gXiLkB6DdwS+zAi=GDgT=792jQ=+oqcK_F3Q@mail.gmail.com> <CA+Vbu7yuDncMwiAhQiDUR=LW-Rd4WU=BgaD_G+akS4JROoy1ng@mail.gmail.com> <CAHOTMVJi2N8vg=eB-sKRPmTWPk3gKYXdbdu-N65veBUQjJishA@mail.gmail.com>
From: Benjamin Black <b@b3k.us>
Date: Mon, 1 Dec 2014 21:06:15 -0800
Message-ID: <CA+Vbu7ye3bytMZ-j8pfZixrjF8irTOoWmRo_GwjB0LphwjXq+Q@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
Content-Type: multipart/alternative; boundary=001a11c37d32f7249f050934b077
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/ZlZNQQyTsQyMKr9c5cdpvl12H08
Cc: Adam Langley <agl@imperialviolet.org>, "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 05:06:39 -0000

The concerns do not apply to the twisted Edwards curve we generated, only
to the isogenous Montgomery curve. If one insists on using the Montgomery
ladder and on clearing cofactors, which is not required for ECDH, then
multiplication by 8 is the simplest answer. Note that X25519 also has
specific guidance about its use in non-DH protocols and failing to heed it
results in security problems. There is no free lunch.

My counterpoint is that all of this complexity is introduced by insisting
on the use of the ladder. Instead of debating how to hack around the
problems that introduces, use the twisted Edwards curve. It is extremely
fast and has far fewer sharp edges.

On Mon, Dec 1, 2014 at 6:27 PM, Tony Arcieri <bascule@gmail.com>; wrote:

> On Mon, Dec 1, 2014 at 4:18 PM, Benjamin Black <b@b3k.us>; wrote:
>
>> Several of the responses to this proposal leave me a bit confused as it
>> appears they were written without having read the draft. If your
>> perspective is that Curve25519 must be adopted, and under no circumstances
>> will alternatives be considered, then it will be difficult to reach an
>> accommodation.
>>
>
> Can you please respond to djb's concerns about twist security?
>
>
>> If instead you are interested in achieving consensus, the first step
>> should be understanding alternative viewpoints and considering how we might
>> find a middle ground. The draft documents such a middle ground.
>>
>
> The draft overlooks djb's concerns. At the very least it should give a
> counterpoint to djb's arguments.
>
> --
> Tony Arcieri
>