IETF Logo Mail Archive

Re: [Cfrg] (on Algebraic Eraser) Re: Meeting notes

Nico Williams <nico@cryptonector.com> Mon, 30 March 2015 18:45 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B538D1AC3FE for <cfrg@ietfa.amsl.com>; Mon, 30 Mar 2015 11:45:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.034
X-Spam-Level: *
X-Spam-Status: No, score=1.034 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t41M1rNDbC9X for <cfrg@ietfa.amsl.com>; Mon, 30 Mar 2015 11:45:20 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id E01821AC3F7 for <cfrg@irtf.org>; Mon, 30 Mar 2015 11:45:20 -0700 (PDT)
Received: from homiemail-a25.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTP id DC47D6780A4; Mon, 30 Mar 2015 11:45:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=5svzAgZn94ajLQ OwkLmj1w0/Umo=; b=FR5aGeUQ2fG0IXjZ9XF24In0chAnUnOKPn6d1cFuR75/5A fm6AyfdIi9ygnGCDiuP11wi+pXKGWJ4Vdqu7bsnO6iTnImkC3+lDrEynoQlyh2/x EOTbKqffpMo0oAP9vebA4AslllL4AFoCKluY7r+TKN2x/qZbr2ECi9kneM/nk=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a25.g.dreamhost.com (Postfix) with ESMTPA id 60A9F6780BA; Mon, 30 Mar 2015 11:44:55 -0700 (PDT)
Date: Mon, 30 Mar 2015 13:44:54 -0500
From: Nico Williams <nico@cryptonector.com>
To: Rene Struik <rstruik.ext@gmail.com>
Message-ID: <20150330184453.GP10960@localhost>
References: <CAHOTMVKUyNsA7ux4epk8LwR0w0Eh7dh0G3xTXB3O9m8jQPS3EQ@mail.gmail.com> <0C65868C-1725-4B32-A562-62C9DF36A956@gmail.com> <c65696d44c65b12478532bcb01fb2ef3.squirrel@mail2.ihtfp.org> <94D99ECB-98CA-4D25-897D-BA4BA8178409@gmail.com> <87y4mhtf5a.fsf@alice.fifthhorseman.net> <F7CF0AB9-4F3E-4FD4-B4D2-2F5172CB4BF2@gmail.com> <20150330104505.GA11195@LK-Perkele-VII> <55194E56.3030509@gmail.com> <20150330164957.GM10960@localhost> <55198F35.2020005@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <55198F35.2020005@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/pxW8dxkZhQHCmuUrMb9YtTRqMyY>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] (on Algebraic Eraser) Re: Meeting notes
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2015 18:45:21 -0000

On Mon, Mar 30, 2015 at 02:00:21PM -0400, Rene Struik wrote:
> Perhaps. However, please start a new topic thread then. {with

Subject: Re: [Cfrg] (on Algebraic Eraser) Re:  Meeting notes
                     ^^^^^^^^^^^^^^^^^^^       ^^^^^^^^^^^^^

If parameter generation is not to be discussed in this thread (it
certainly came up during the meeting whose notes we're discussing), what
is?  According to whom?

> hopefully carefully contemplated thoughts, rather than twitter-like
> trigger-happy traffic}

The observation that AE might require careful parameter generation
ceremonies had to come before (or with) any proposals for specific
ceremony procedures, and it seems like a critical aspect of AE
application to many possible use-cases.  It's not "twitter-like" to say
so.

(As if, too, twitterings could never be meaningful, important, pithy,
valuable, ...  That seems like a middle-school insult, which, as you can
see, we're all capable of.  Better just not get started. :)

AE's TTP backdoor makes it difficult to conceive of a believable
ceremony, particularly one that will be believed decades after the fact.

Part of the problem is social/political.  So far all sketches of such a
ceremony that I can come up with are mainly about using hardware so
simple that various participants can verify that there are no covert
channels of any sort via which the seed could be communicated to anyone
during or after the ceremony.  The "after" part is trivial: incinerate
the hardware in place, dynamiting it if need be.  The "during" part is
really difficult, and leads me to suggest using 8-bit hardware from the
early 80s.  But really, it's a hard problem, and not in the crypto
sense.

It'd be more productive to find use-cases where the backdoor-capable TTP
is either desirable or not fatal.  For IoT, per-household user-generated
parameters seems utterly acceptable.  Derek suggested (at the meeting)
that a backdoor-capable TTP might be acceptable for DNS root keys, and I
don't yet disagree[*].

[*] I would prefer to ensure that there is no backdoor, and that use of
    the root key be auditable in any case.  But I also tend to think
    that CT for DNSSEC may work well enough.  It's much too soon to tell
    though, which is why I don't yet take a position.

Nico
--

v2.23.0 | Report a Bug | By Email