Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]

"Paterson, Kenny" <> Wed, 31 December 2014 17:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9A14E1AC442 for <>; Wed, 31 Dec 2014 09:32:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.798
X-Spam-Status: No, score=0.798 tagged_above=-999 required=5 tests=[BAYES_50=0.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0PJHvRMp-Xvi for <>; Wed, 31 Dec 2014 09:32:09 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fe00::689]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4CB251AC436 for <>; Wed, 31 Dec 2014 09:32:09 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 31 Dec 2014 17:28:21 +0000
Received: from ([]) by ([]) with mapi id 15.01.0049.002; Wed, 31 Dec 2014 17:28:21 +0000
From: "Paterson, Kenny" <>
To: Tanja Lange <>
Thread-Topic: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
Date: Wed, 31 Dec 2014 17:28:21 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
authentication-results: spf=none (sender IP is );
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB383;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:;SRVR:DBXPR03MB383;
x-forefront-prvs: 0442E569BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(199003)(51704005)(52044002)(24454002)(479174004)(189002)(107046002)(15975445007)(46102003)(4396001)(62966003)(120916001)(230783001)(93886004)(102836002)(106356001)(77096005)(97736003)(77156002)(66066001)(86362001)(54356999)(2950100001)(20776003)(40100003)(92566001)(74482002)(68736005)(21056001)(2656002)(36756003)(106116001)(64706001)(19580405001)(76176999)(87936001)(19580395003)(110136001)(50986999)(122556002)(105586002)(2900100001)(101416001)(99396003)(31966008)(561944003); DIR:OUT; SFP:1101; SCL:1; SRVR:DBXPR03MB383;; FPR:; SPF:None; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Dec 2014 17:28:21.1283 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2efd699a-1922-4e69-b601-108008d28a2e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBXPR03MB383
Cc: "" <>
Subject: Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Dec 2014 17:32:15 -0000

Hi Tanja,

On 23/12/2014 01:54, "Tanja Lange" <> wrote:

>Dear Kenny,
>This is a late reply to your reply to Watson.

And this is a slightly less late reply to your message, which arrived
shortly after my Christmas break had begun.

>To me this sounds like an ideal moment to follow through on the plans
>made earlier. Is there a final requirements list?

No. I believe we reached agreement on all but a couple of the criteria,
but the chairs' attempts to bring about a meaningful discussion about
quantifying degrees of rigidity/wiggle room were unsuccessful at that time
(mid-October). We did not also reach agreement on requirements for
hardware. See my messages:

>Is there a date when
>the list of curves to evaluate will be stable?
>What will be the deadline
>for comparing performance of arithmetic in different prime fields and
>comparing performance of arithmetic on different curve shapes? What
>will be the deadline for quantifying wiggle room in generation

It doesn't seem to be working in that mechanistic way, I'm afraid, even
though it would have been my preferred approach. Rather, we tried a
structured, requirements-driven approach, and I think it's fair to say
that, while we made progress and found some common ground, we did not
reach complete agreement on a set of requirements (more succinctly: we
failed). The chairs (actually, me) called for a discussion of the
remaining points of contention around requirements, namely hardware
requirements and quantifying wiggle room.

We had a long thread on the former, which degenerated into a discussion
about special primes versus random primes, belatedly resulting in my
message (
in which I wrote that:

"I think that we should focus in the immediate future on selecting curves
for special primes for recommendation to the TLS".

No-one objected to this message, as far as I recall from the subsequent
discussions, so I consider that issue settled for the purposes of our
current task. I consider it to be a corollary of this that are no
particular hardware considerations for us to take into account, beyond the
obvious ones with which we started.

Concerning the latter ("quantifying wiggle room"): there was no on-list
discussion that I saw after my message. I understand that it's a delicate
task and that everyone may have had many other things to work on with
higher priority (indeed we are all part-timers here, despite the volume of
messages that may suggest the contrary).

Meanwhile, events have moved on, and, from late November, we (the CFRG
chairs) started to receive messages from our superiors in IRTF and IETF,
namely the IRTF chair (Lars Eggert) and one of the IETF Security Area
Directors (Stephen Farrell) asking us to try to move things more rapidly
towards a conclusion.

When the MGN proposal was put forward, it seemed to the chairs that it
represented a reasonable basis for discussion that, with fine tuning as ,
could meet with the approval of the group.

>We will not get optimal results by tweaking one meta proposal when
>creating a meta proposal was not the original mission and there has
>been very little discussion about requirements for meta proposals
>while we discussed requirements for curves.

Point taken. But when the original mission fails and the external clock is
ticking, it is surely time to try something else. And the particular
curves that are produced by the (tweaked) meta proposal that is currently
on the table seem to meet all of our agreed security requirements and have
reasonable-to-execllent performance to boot.

> We will not receive
>transparency by engaging in horse trading.
>'Compromise' is a word that should be banned from this discussion; we
>already have (potentially) compromised curves!

That's indeed an unfortunate collision! However, I think we know what we
mean when we say "compromise" here.

>> I'd be grateful if the folks from the MGN team could say more on the
>> why they chose this particular prime, and give some insight into the
>> performance impact of choosing it over near neighbours such as 2^389-21.
>> Others should chime in too - for example, people should feel free to
>> repeat performance numbers from earlier in our discussions (they are out
>> there in the archive somewhere!).
>> Please let's collaborate and see if we can swiftly resolve whether there
>> is a significant performance impact or not.
>I think a competition has more to offer than a 'collaboration' where
>parties get more influence by having more people send emails to the list.

1. This process has never been a competition, in the AES or SHA-3 sense.
It was not set up that way, and it was not intended to run as such. Maybe
people really are under that misapprehension - it would certainly explain
some of the behaviour and petty point scoring that I've seen on the list.

2. If you want to make an accusation that specific parties have been
"DoSing the list" then I think you need to be more specific than this. You
can direct your comments to the chairs or to Lars Eggert off list if you

>What should count are the merits of papers, implementations, and internet
>drafts so that proposals get more influence by being objectively better.

I could not agree more. But what what you have to remember, I think, is
that no single party or group has a monopoly on papers or implementations
in this area. While no-one doubts the high value of the contributions that
you and your co-authors have made over a period of many years to the
development of "modern ECC", there are now plenty of other people who have
learned from and built upon your work.

>So, I would very much like to support what Kenny said:
>> Let's get past instinct to hard numbers.
>... but I think this needs clear requirements, deadlines etc.

And I'll repeat what I wrote above, in short form: we tried to extract
requirements, and while we made progress, we did not complete even this
initial task satisfactorily. I am not apportioning blame for that, and I
will happily take my share of it (and, believe me, some people have been
quick to e-mail me off-list to tell me exactly what my due share of it

More to follow in the coming days on deadlines and process.