Re: [Cfrg] Summary

Watson Ladd <> Fri, 02 January 2015 15:43 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id EEA2F1A87B1 for <>; Fri, 2 Jan 2015 07:43:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_42=0.6, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9HdtdE82KX6S for <>; Fri, 2 Jan 2015 07:43:30 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A87071A8795 for <>; Fri, 2 Jan 2015 07:43:30 -0800 (PST)
Received: by with SMTP id 9so8774930ykp.25 for <>; Fri, 02 Jan 2015 07:43:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=aTRUU9hYYezpY9XHFJSS8mq/JrD5zrsTUCH2cY5tVeI=; b=K8gr8pNiAiIE/OE9A+JXDF54QGcv8KHkCau2LkFg4w9pReicQ6rgBv63IhT+3HmrwY RwYDgU2ccceBW86u7ZC5twBdAlpt0b5ptp5MUNtXr2E/J/S9yKRCfxO7OF5jtz27UhTk AiDYNBX19bX549ABr4uUf8coNkPjPnAbCpg+IZCcCVCn1GuqFQkPKIC30U4yi3OMeZQY 7UMqU6/c6N0KfW72aHpm0ASph22LQzZZxDFzKkrmiwKXlyRBN//jdj5H4ZB6wxdUvC+2 tgD20X2kL8dx+zoOkficNwH92AAC8MlrsouPGfy9hxVUcTdoMDsCkus1Mq8+zrwlJEm/ 3Ipw==
MIME-Version: 1.0
X-Received: by with SMTP id m186mr23085192ykf.58.1420213409709; Fri, 02 Jan 2015 07:43:29 -0800 (PST)
Received: by with HTTP; Fri, 2 Jan 2015 07:43:29 -0800 (PST)
In-Reply-To: <>
References: <> <> <>
Date: Fri, 02 Jan 2015 10:43:29 -0500
Message-ID: <>
From: Watson Ladd <>
To: Kurt Roeckx <>
Content-Type: text/plain; charset="UTF-8"
Cc: "" <>
Subject: Re: [Cfrg] Summary
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Jan 2015 15:43:32 -0000

On Thu, Jan 1, 2015 at 2:03 PM, Kurt Roeckx <> wrote:
> On Thu, Jan 01, 2015 at 10:50:49AM -0500, Watson Ladd wrote:
>> > - Is there some document with requirements, and maybe a comparison
>> >   of how the proposals meet the requirements?
>> No. The chairs suggested making one, but then didn't. Part of the
>> problem is everyone was gaming the requirements to make their own
>> proposals look better.
> I think it could be useful to have such a list.  Please note that
> not all the requirements are of equal importance, some might be a
> MUST and others might be nice to have.  The importance might also
> change depending on the use, like TLS, SSH, PGP or X509.  Maybe
> we can't agree on those levels, but I think a list a list could
> be useful.

We tried that exercise. The problem is that all these protocols use
only two things: signatures and ECDH (okay, ECIES, but that's ECDH+an
AEAD mode), and use separate keys for each. Even if they didn't, this
wouldn't in any way lead to a restriction on which primes to use, and
certainly wouldn't solve the problem of which generator to use.

If you go beyond this to consider implementations, then it turns out
that people actually want to change their implementations and
protocols to take advantage of better cryptography. The original NUMS
proposal had a rather ugly way to stuff the results in existing point
formats, but I don't remember much implementor enthusiasm for doing
that, and TLS 1.3 is being redesigned to accommodate non-Weierstrass
curves. (Why they need to wait for us, I can't remember: perfectly
possible to say "bytes go here") Brainpool wanted to use random primes
because of the details of their smartcards, but their claims that this
was necessary for side-channel security were wrong: extra performance
lets you do more blinding. Certainly now with NUMS being changed to
use the same formats as the alternative proposal, it's a moot point.

Had we dinged the NUMS proposal for the reasons it eventually was
modified, then yes, we would have solved a good deal of our problems.
But the current bikeshedding wasn't the issue we were originally faced
with, which were two or three rather different proposals. There's a
temptation, which I've indulged in, to think of ways we could have
done things differently: most crypto competitions don't have these
issues, for instance. But it's not really helpful with where we stand

Watson Ladd

> Kurt

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin