[Cfrg] Adoption request: draft-hdevalence-cfrg-ristretto

"Filippo Valsorda" <filippo@ml.filippo.io> Fri, 17 May 2019 22:22 UTC

Return-Path: <filippo@ml.filippo.io>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A56CD1201A8 for <cfrg@ietfa.amsl.com>; Fri, 17 May 2019 15:22:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=filippo.io header.b=hNmIZX8/; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=edFZn22/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2GgD5w_Fnrbi for <cfrg@ietfa.amsl.com>; Fri, 17 May 2019 15:22:43 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A17401200F1 for <cfrg@irtf.org>; Fri, 17 May 2019 15:22:43 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 0589120F02; Fri, 17 May 2019 18:22:43 -0400 (EDT)
Received: from imap1 ([10.202.2.51]) by compute3.internal (MEProxy); Fri, 17 May 2019 18:22:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=filippo.io; h= mime-version:message-id:date:from:to:cc:subject:content-type; s= fm3; bh=N+wh+LF7XMiKw2K3GCaebLgkogshhkEwWOPrIzFTkrM=; b=hNmIZX8/ bhUPY/NvGKZ75MRZTG5YWlsmVAe1NfeR/ybF1l/NGvaIG5TtybDQ6tmH4JmZkTlL LHmE38Fg2ExTuyI/9tXI3HO1YTjvlPuXJinvFZVaNWoiHz5IKbq8ZSWxY7Z5c9MW NDGs6X694jMl5l9eopMk8lPjym/QelqcuDMNeAf8irtRxDzwgmKUW/vIxkKDRQKN rQaPUQvuwfheZ9j3qGnFCi7Ptt5B5U1VvM9Q0yvS9NjhmjG78Tx1Et3lJvHTZihP Wj7h3byT/JQC+M1KUHbvWmuwKyBQG1XSHXrn4JuUeH+UBoXoW0ZBE8aHgogq9W3T B/x3yEHkZ22Y5Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=N+wh+LF7XMiKw2K3GCaebLgkogshh kEwWOPrIzFTkrM=; b=edFZn22/QRphu0dsbGGTY+7ENjRaOute5CriA2cBpqTQB LT9KucPVIEz9uq4xZv8gRkoUWAS5E4A1tCeajtR/p2fWeZvu03wOyiFXonV+Fjje wDVDqWwsU/QbMGxxGyGeCw5rtVg3teeo6bVrS25RvMADkeb6QZr76Hx89RuhvaGz AnuUufSMsg2RZnnfEAsRxlX0EUpnlip1BFr6w+xAsWpKrdddKDhE1Bkzx9t4qcrp K7r30T8ra2dVf46ZKpKmzxk6dtmdZ0NSTnEvIIbh96f1lM8basXbr6GV0hC8OqrH Yv8cife3RAkgQH+p630r8vB3vIp1OGkDaf5yISJQQ==
X-ME-Sender: <xms:MjTfXLW8Eple7pbiccHQdoRIKkxLrAEpJbigkre2KX5ioQjAYXE86g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddruddtfedgtdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfffhffvufgtsehttdertd erredtnecuhfhrohhmpedfhfhilhhiphhpohcugggrlhhsohhruggrfdcuoehfihhlihhp phhosehmlhdrfhhilhhiphhpohdrihhoqeenucffohhmrghinhepghhithhhuhgsrdgtoh hmpdhivghtfhdrohhrghdprhhishhtrhgvthhtohdrghhrohhuphenucfrrghrrghmpehm rghilhhfrhhomhepfhhilhhiphhpohesmhhlrdhfihhlihhpphhordhiohenucevlhhush htvghrufhiiigvpedt
X-ME-Proxy: <xmx:MjTfXLwH07GjaCf31WdAPnzc0erFT9BUSoe_qFrt4vOYRCYfUszV9A> <xmx:MjTfXC_1lwIHsrue5JdtaMOnU4Yse8mQOWwmRAWFneBuNnW68OdlOA> <xmx:MjTfXA8lyMwcGGuAe-TH3LQCubPQopEtxhzK6y5O-6Dw89t5rjb5Fg> <xmx:MjTfXAV9OIhovd9XvduTP9XP2oMGldANY0-6IM6rUxfYUERAl3lYVw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7651BD4954; Fri, 17 May 2019 18:22:42 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-549-ge400f56-fmstable-20190516v3
Mime-Version: 1.0
Message-Id: <a505c99b-32a9-447a-9c69-a8efe3ed1b70@www.fastmail.com>
Date: Fri, 17 May 2019 18:21:42 -0400
From: "Filippo Valsorda" <filippo@ml.filippo.io>
To: cfrg@irtf.org
Cc: draft-hdevalence-cfrg-ristretto@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fZmEo8dCzlip0yaBOSSSYbfyMi8>
Subject: [Cfrg] Adoption request: draft-hdevalence-cfrg-ristretto
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 May 2019 22:22:45 -0000

Hello,

I'd like to request for the group to adopt
draft-hdevalence-cfrg-ristretto for publication as an Informational RFC.

https://datatracker.ietf.org/doc/draft-hdevalence-cfrg-ristretto/

Ristretto255 is a prime-order group designed by Henry de Valence,
based on Mike Hamburg's Decaf. It provides a safe, efficient, and
implementor-friendly abstraction for a prime-order group, enabling safer
and simpler design of higher-level protocols. Its order is the same as
the prime-order subgroup of Curve25519.

Ristretto255 can easily be implemented on top of an existing Curve25519
library, and the authors are providing multiple implementations in
different languages: curve25519-dalek in Rust, by Isis Lovecruft
and Henry de Valence; curve25519-elisabeth in Java, by Jack Grigg;
ristretto255 in Go (implemented clean-room from the spec),
by George Tankersley and myself; and ristretto-donna (forthcoming) in
C, by Isis Lovecruft. We are also aware of other implementations we
have not personally tested for interoperability, including one in Frank
Denis's libsodium.

https://github.com/dalek-cryptography/curve25519-dalek
https://github.com/cryptography-cafe/curve25519-elisabeth
https://github.com/gtank/ristretto255

Importantly, ristretto255 is a flexible abstraction, and can be
implemented with different, more efficient curves than Curve25519. The
draft only provides implementation details for a Curve25519 backend,
but it defines the interface contract which is required of compliant
implementations, allowing alternate backends.

The group has already been adopted by some higher level protocols,
including Bulletproofs by Chain, and has been subject of discussion on
this list, including some good posts by Tony Arcieri. More information
is available at https://ristretto.group and in the draft, and the
authors and I are available to answer questions.

Best, Filippo