Re: [Cfrg] Summary
Watson Ladd <watsonbladd@gmail.com> Fri, 02 January 2015 15:43 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA2F1A87B1 for <cfrg@ietfa.amsl.com>; Fri, 2 Jan 2015 07:43:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_42=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9HdtdE82KX6S for <cfrg@ietfa.amsl.com>; Fri, 2 Jan 2015 07:43:30 -0800 (PST)
Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A87071A8795 for <cfrg@irtf.org>; Fri, 2 Jan 2015 07:43:30 -0800 (PST)
Received: by mail-yk0-f180.google.com with SMTP id 9so8774930ykp.25 for <cfrg@irtf.org>; Fri, 02 Jan 2015 07:43:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=aTRUU9hYYezpY9XHFJSS8mq/JrD5zrsTUCH2cY5tVeI=; b=K8gr8pNiAiIE/OE9A+JXDF54QGcv8KHkCau2LkFg4w9pReicQ6rgBv63IhT+3HmrwY RwYDgU2ccceBW86u7ZC5twBdAlpt0b5ptp5MUNtXr2E/J/S9yKRCfxO7OF5jtz27UhTk AiDYNBX19bX549ABr4uUf8coNkPjPnAbCpg+IZCcCVCn1GuqFQkPKIC30U4yi3OMeZQY 7UMqU6/c6N0KfW72aHpm0ASph22LQzZZxDFzKkrmiwKXlyRBN//jdj5H4ZB6wxdUvC+2 tgD20X2kL8dx+zoOkficNwH92AAC8MlrsouPGfy9hxVUcTdoMDsCkus1Mq8+zrwlJEm/ 3Ipw==
MIME-Version: 1.0
X-Received: by 10.170.220.195 with SMTP id m186mr23085192ykf.58.1420213409709; Fri, 02 Jan 2015 07:43:29 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Fri, 2 Jan 2015 07:43:29 -0800 (PST)
In-Reply-To: <20150101190332.GA18703@roeckx.be>
References: <20150101144926.GA4784@roeckx.be> <CACsn0ckip8ZK=wYEAPJGAxwxBEBkXkSJQi9uPZQ7dmXPo77bGQ@mail.gmail.com> <20150101190332.GA18703@roeckx.be>
Date: Fri, 02 Jan 2015 10:43:29 -0500
Message-ID: <CACsn0cnkA_wxkscMeZZRJKpGH7+H6LH7aKbsZuBdgVR_G4E5PQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/diiv5lqy5tgjrjFBn0OCOg4MaXo
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] Summary
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jan 2015 15:43:32 -0000
On Thu, Jan 1, 2015 at 2:03 PM, Kurt Roeckx <kurt@roeckx.be> wrote: > On Thu, Jan 01, 2015 at 10:50:49AM -0500, Watson Ladd wrote: >> > - Is there some document with requirements, and maybe a comparison >> > of how the proposals meet the requirements? >> >> No. The chairs suggested making one, but then didn't. Part of the >> problem is everyone was gaming the requirements to make their own >> proposals look better. > > I think it could be useful to have such a list. Please note that > not all the requirements are of equal importance, some might be a > MUST and others might be nice to have. The importance might also > change depending on the use, like TLS, SSH, PGP or X509. Maybe > we can't agree on those levels, but I think a list a list could > be useful. We tried that exercise. The problem is that all these protocols use only two things: signatures and ECDH (okay, ECIES, but that's ECDH+an AEAD mode), and use separate keys for each. Even if they didn't, this wouldn't in any way lead to a restriction on which primes to use, and certainly wouldn't solve the problem of which generator to use. If you go beyond this to consider implementations, then it turns out that people actually want to change their implementations and protocols to take advantage of better cryptography. The original NUMS proposal had a rather ugly way to stuff the results in existing point formats, but I don't remember much implementor enthusiasm for doing that, and TLS 1.3 is being redesigned to accommodate non-Weierstrass curves. (Why they need to wait for us, I can't remember: perfectly possible to say "bytes go here") Brainpool wanted to use random primes because of the details of their smartcards, but their claims that this was necessary for side-channel security were wrong: extra performance lets you do more blinding. Certainly now with NUMS being changed to use the same formats as the alternative proposal, it's a moot point. Had we dinged the NUMS proposal for the reasons it eventually was modified, then yes, we would have solved a good deal of our problems. But the current bikeshedding wasn't the issue we were originally faced with, which were two or three rather different proposals. There's a temptation, which I've indulged in, to think of ways we could have done things differently: most crypto competitions don't have these issues, for instance. But it's not really helpful with where we stand now. Sincerely, Watson Ladd > > > Kurt > -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [Cfrg] Summary Kurt Roeckx
- Re: [Cfrg] Summary Watson Ladd
- Re: [Cfrg] Summary Tanja Lange
- Re: [Cfrg] Summary Christoph Anton Mitterer
- Re: [Cfrg] Summary Michael Hamburg
- Re: [Cfrg] Summary Kurt Roeckx
- Re: [Cfrg] Summary Ilari Liusvaara
- Re: [Cfrg] Summary Nico Williams
- Re: [Cfrg] Summary Watson Ladd