Re: [Cfrg] draft-ladd-safecurves-02

"Dan Harkins" <dharkins@lounge.org> Tue, 14 January 2014 22:30 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7A2A1AE2C9 for <cfrg@ietfa.amsl.com>; Tue, 14 Jan 2014 14:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.867
X-Spam-Level:
X-Spam-Status: No, score=-3.867 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tyhQM-zCjvLa for <cfrg@ietfa.amsl.com>; Tue, 14 Jan 2014 14:30:15 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id F0A291AE2C4 for <cfrg@irtf.org>; Tue, 14 Jan 2014 14:30:14 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 914A2A888012; Tue, 14 Jan 2014 14:29:57 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Tue, 14 Jan 2014 14:29:57 -0800 (PST)
Message-ID: <600e4d4321e2c2a35a472788785e27b1.squirrel@www.trepanning.net>
In-Reply-To: <CACsn0c=VcFfkk7C=ywJ2ajq3yfv4DgxVj-kRA2RBakp4wSmR3Q@mail.gmail.com>
References: <20140111003703.6111382.10153.8425@certicom.com> <52D17058.1050200@akr.io> <592EE701-2C57-45B0-B8DA-F96B5C95B51C@vpnc.org> <52D5A6B5.5030009@cisco.com> <CACsn0c=VcFfkk7C=ywJ2ajq3yfv4DgxVj-kRA2RBakp4wSmR3Q@mail.gmail.com>
Date: Tue, 14 Jan 2014 14:29:57 -0800 (PST)
From: "Dan Harkins" <dharkins@lounge.org>
To: "Watson Ladd" <watsonbladd@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: David McGrew <mcgrew@cisco.com>, "cfrg@irtf.org CFRG" <cfrg@irtf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [Cfrg] draft-ladd-safecurves-02
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 22:30:17 -0000

On Tue, January 14, 2014 1:24 pm, Watson Ladd wrote:
> On Tue, Jan 14, 2014 at 1:05 PM, David McGrew <mcgrew@cisco.com> wrote:
>> On 01/11/2014 11:39 AM, Paul Hoffman wrote:
>>>
>>> On Jan 11, 2014, at 8:24 AM, Alyssa Rowan <akr@akr.io> wrote:
>>>
>>>> Agreed there. That's a temporary slot, there for the draft, I believe,
>>>> but the final reference should I think be more like:
>>>>
>>>> 7. References
>>>>
>>>>     [SAFECURVES] Daniel J. Bernstein and Tanja Lange. SafeCurves:
>>>>     choosing safe curves for elliptic-curve cryptography.
>>>>     <http://safecurves.cr.yp.to>, accessed 11 November 2014.
>>>>
>>>>     [EFD] Daniel J. Bernstein and Tanja Lange. Explict-Formulas
>>>>     Database, Genus-1 curves over large-characteristic fields.
>>>>     <http://www.hyperelliptic.org/EFD/g1p/>, accessed
>>>>     11 November 2014.
>>>
>>> Published academic papers would be *much* more useful than web sites
>>> that
>>> can change.
>>>
>>> References in RFCs are not there to prove that the RFC authors did
>>> their
>>> homework; they are there to help readers assess the validity of
>>> statements
>>> in the document. When someone reads this RFC 15 years from now, the
>>> contents
>>> of http://safecurves.cr.yp.to will very likely be more up to date,
>>> possibly
>>> in a way that negates some of what is said in the document. A reader of
>>> the
>>> RFC at that point should decide not to implement because of the
>>> disagreement
>>> between the RFC and the reference; that would be bad.
>
> Possibly not: if a new attack is discovered that safecurves.cr.yp.to
> tells the world about
> before we catch up, it would be great if someone doesn't implement
> because of that.

  There are a number of reasons (left unsaid to prevent this thread from
derailing) that safecurves.cr.yp.to might not even exist as a website
in 15 years. An reference that says a web page was "accessed on"  some
date is not acceptable.

>>
>> Plus one; this is an important point.
>
> And is addressed in the latest draft. (Not yet posted)
>
> Much more substantive is the desire for material on the lines of RFC
> 6090 to be added: that will take considerably
> longer than anticipated. But we have to wait for OIDs anyway.

  Your draft is really part RFC 6090 and part RFC 5639. You need to
explain the math background (which is different than that in RFC 6090),
the requirements that resulted in the groups being generated, and the
parameters that define the groups. Then you need to define the complete
domain parameter sets, list the OIDs that refer to them, and a set of test
vectors for each group-- suggest just doing an Alice and Bob ECDH
exchange.

  A section on why Joe Random should select these curves for his
implementation would be most helpful.

  Dan.