IETF Logo Mail Archive

Re: [Cfrg] tentative agenda for CFRG at IETF 89

Robert Ransom <rransom.8774@gmail.com> Sat, 01 March 2014 04:16 UTC

Return-Path: <rransom.8774@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3DCA1A042E for <cfrg@ietfa.amsl.com>; Fri, 28 Feb 2014 20:16:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vHuWcFUiLGKy for <cfrg@ietfa.amsl.com>; Fri, 28 Feb 2014 20:16:43 -0800 (PST)
Received: from mail-qc0-x231.google.com (mail-qc0-x231.google.com [IPv6:2607:f8b0:400d:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 112271A02D9 for <cfrg@irtf.org>; Fri, 28 Feb 2014 20:16:42 -0800 (PST)
Received: by mail-qc0-f177.google.com with SMTP id w7so1717570qcr.22 for <cfrg@irtf.org>; Fri, 28 Feb 2014 20:16:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=XwMkD5yRKwTfmvVzENtLX2+yePbGLa9HHMhJ27RiM+k=; b=RM7aqg6fWXvQUeq6oR6dKMYPVZV/UnAnlnnjLSy4567PwQhf714+4thx1WkICnmcOm bMkTSVVUyEpGh/MgFQcoTi2mDLba0eF1jevtZHjyEGupCI1TwQrphyCgBeBmFNTNglra rVST4wWVWdMleZMcS/QwQUfJavaixhrbZ7CNeamQFxKbqI1DQ/QMyp2ZH5rTvrVREOdz IVyPclCeMuIO61kC55M8I+lgUJh/kGK5gTrOJXXdTV/Zp5DqLwB6aUWam1jeQMPGznRD BrYHoP4tDazGPJRjJQSuosRV31JvX+eR1fYFq3bcyn+a8c3W9Iy5eSftFZVfqrqynZqJ VR/A==
MIME-Version: 1.0
X-Received: by 10.140.91.12 with SMTP id y12mr8176760qgd.26.1393647400812; Fri, 28 Feb 2014 20:16:40 -0800 (PST)
Received: by 10.140.20.243 with HTTP; Fri, 28 Feb 2014 20:16:40 -0800 (PST)
In-Reply-To: <5310B12E.4070603@cisco.com>
References: <530FDC7A.4060404@cisco.com> <CABqy+srTqCXjOR4DMNgWyxf2pZ7dwZfWyznhBuJaY5w8VeuR4Q@mail.gmail.com> <5310B12E.4070603@cisco.com>
Date: Fri, 28 Feb 2014 20:16:40 -0800
Message-ID: <CABqy+srrbtdHOckjPqTj5SFuQwQEqXBjgc8kwagMi8E6ZRf=qg@mail.gmail.com>
From: Robert Ransom <rransom.8774@gmail.com>
To: David McGrew <mcgrew@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/cQRVe_UFm8982UpUMmvgd_hrbZA
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] tentative agenda for CFRG at IETF 89
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Mar 2014 04:16:45 -0000

On 2/28/14, David McGrew <mcgrew@cisco.com> wrote:

>> I have nearly finished writing a relatively elementary exposition of
>> the background in abstract algebra and (Weierstrass-form) elliptic
>> curves needed to properly explain Montgomery and Edwards curves and
>> their use in cryptography.  I intend to send it to the CFRG mailing
>> list either tonight or tomorrow for review.  After that, the portion
>> of a document describing Montgomery and Edwards curves themselves (as
>> currently used) should be relatively easy.
>
> Thanks for the offer to contribute here.

I've sent that document to the list now (attached to ‘Review of ECC topics’).


>>> Should we recommend its adoption in TLS?
>> draft-ladd-safecurves is not needed in order to adopt Curve25519 for use
>> in TLS.
>>
>> Dr. Bernstein's Curve25519 paper specifies the existing standard for
>> scalar multiplication on Curve25519 in sufficient detail to serve as a
>> normative reference for RFCs specifying its use in ECDH in IETF
>> protocols.  I believe that Curve25519 should be recommended for
>> adoption in TLS, and that a future version of
>> draft-josefsson-tls-curve25519 (which addresses the comments made on
>> the TLS list regarding the (current) -04 version) will be suitable for
>> publication as an RFC.
>
> I am wary of relying on the curve25519 paper as a normative reference.
> Perhaps your goal here is to provide an informational document (the
> draft that you mention above) that offers implementation guidance,
> instead of a normative reference?

RFC 4492 (ECC ciphersuites for TLS) cites ANSI X9.62, IEEE 1363, and a
few documents labeled as ‘standards’ by the corporations which
authored them as normative references.  It cannot be implemented
without the information in ANSI X9.62 and IEEE 1363.  ANSI X9.62 is
available from ANSI for 100 USD; IEEE 1363 is available from ANSI for
168 USD.

It is true that the author of the Curve25519 paper is neither a large
corporation nor an organization with “Standards” in its name, and did
not label Curve25519 as a ‘standard’ in the paper's title.  However,
the Curve25519 scalar multiplication function specified in the paper
became a ‘standard’, in the sense which IETF claims to use the word,
when software developers came to the rough consensus that it was a
good cryptographic primitive to use, and wrote and deployed running
code which implements it.  The Curve25519 paper is available for free
from the URL <http://cr.yp.to/ecdh/curve25519-20060209.pdf>.

What is your objection to using the Curve25519 paper as a normative
reference for the standard Curve25519 scalar multiplication function?


Robert Ransom

v2.23.0 | Report a Bug | By Email