IETF Logo Mail Archive

Re: [Cfrg] Summary of the poll: Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)

"D. J. Bernstein" <djb@cr.yp.to> Fri, 19 June 2015 06:28 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FEAD1A1BCD for <cfrg@ietfa.amsl.com>; Thu, 18 Jun 2015 23:28:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.896
X-Spam-Level: **
X-Spam-Status: No, score=2.896 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5bDOCBlANFAT for <cfrg@ietfa.amsl.com>; Thu, 18 Jun 2015 23:28:08 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id DFE9A1A1BCC for <cfrg@irtf.org>; Thu, 18 Jun 2015 23:28:07 -0700 (PDT)
Received: (qmail 12535 invoked by uid 1017); 19 Jun 2015 06:28:26 -0000
Received: from unknown (unknown) by unknown with QMTP; 19 Jun 2015 06:28:26 -0000
Received: (qmail 3508 invoked by uid 1000); 19 Jun 2015 06:27:52 -0000
Date: Fri, 19 Jun 2015 06:27:52 -0000
Message-ID: <20150619062752.3506.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <557FEA01.7070207@isode.com> <557FE6E4.3040509@isode.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/bskvI2C1jxB4oGo3IdBxjMB7SfA>
Subject: Re: [Cfrg] Summary of the poll: Elliptic Curves - signature scheme: friendliness to low memory implementations (ends on June 3rd)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2015 06:28:09 -0000

I'm still unable to figure out what the chairs are saying the rough
consensus is. I'll keep using Ed25519 and SHA-3-512 to illustrate the
options available:

   Option #1: Specify Ed25519(SHA-3-512(m)) with an IUF API.
   Option #2: Specify higher-security Ed25519(m).
   Option #3: Specify Ed25519(m) as the higher-security default and
              Ed25519(SHA-3-512(m)) for applications that need IUF.

I understand that the chairs are saying that the following position has
rough consensus: the demand for deploying IUF APIs in some applications
outweighs the security concerns regarding those APIs; consequently, CFRG
needs to specify an IUF signature scheme, such as Ed25519(SHA-3-512(m)).

This is, however, compatible with _also_ specifying the more fundamental
Ed25519(m) layer as the default higher-security signature scheme. My
reading of the discussions so far is that it would be easy to justify
doing this: specifying Ed25519(m) as the higher-security default and
Ed25519(SHA-3-512(m)) for applications that need IUF. Both Ed25519(m)
and Ed25519(SHA-3-512(m)) have clearly attracted significant interest.

Are the chairs saying that the rough consensus is to do this? Or that
the rough consensus is to _not_ do this? Or still unsettled?

I would expect the first answer, but what I've seen is a completely
unclear mix of the second answer and the third answer. See quotes below.
Obviously clarification is required.

Alexey Melnikov writes:
> In your example, this means that "Ed25519(SHA-3-512(m)), with an IUF
> API" satisfies the requirement and CFRG poll result doesn't say
> anything about (doesn't recommend and doesn't prohibit) "Ed25519(m) as
> the higher-security default".

Okay. This seems to be a clear statement that the rough consensus is
against option #2---the choice between option #1 and option #3 hasn't
been resolved yet. "Doesn't recommend" allows option #1, and "doesn't 
prohibit" allows option #3.

In other words, you're saying that the rough consensus is that CFRG
needs to provide Ed25519(SHA-3-512(m)) or something else with an IUF
API, and that it isn't settled yet whether CFRG will also provide
something like Ed25519(m).

> There was rough consensus for the option #1.

This contradicts the "doesn't prohibit" statement. Option #1 would mean
specifying _only_ Ed25519(SHA-3-512(m)), and _not_ specifying Ed25519(m)
as the higher-security default.

---Dan

v2.23.0 | Report a Bug | By Email