Re: [Cfrg] Mishandling twist attacks

"D. J. Bernstein" <djb@cr.yp.to> Wed, 31 December 2014 22:52 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D26021A1A6D for <cfrg@ietfa.amsl.com>; Wed, 31 Dec 2014 14:52:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.896
X-Spam-Level: **
X-Spam-Status: No, score=2.896 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, UNPARSEABLE_RELAY=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dpMrIhK0KIzD for <cfrg@ietfa.amsl.com>; Wed, 31 Dec 2014 14:52:57 -0800 (PST)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id 0B2031A1A51 for <cfrg@irtf.org>; Wed, 31 Dec 2014 14:52:56 -0800 (PST)
Received: (qmail 16567 invoked by uid 1017); 31 Dec 2014 22:53:16 -0000
Received: from unknown (unknown) by unknown with QMTP; 31 Dec 2014 22:53:16 -0000
Received: (qmail 26395 invoked by uid 1001); 31 Dec 2014 22:52:45 -0000
Date: 31 Dec 2014 22:52:45 -0000
Message-ID: <20141231225245.26393.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <D0C9ED09.3B226%kenny.paterson@rhul.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/cfrg/wmfgI2j76naOY03qlkZgNlPZt0Q
Subject: Re: [Cfrg] Mishandling twist attacks
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Dec 2014 22:52:59 -0000

Wow. Make a little "Night of the Living PinkBikeShed" joke and suddenly
the chairs go bonkers. :-)

For the record, it was never my intention to characterize Microsoft as a
company that supports zombies. Since PinkBikeShed is a curve that I had
found and publicly rejected a decade ago, and one where Microsoft's
support here didn't even last three weeks, I don't see how anyone could
possibly be offended by this small bit of humor in my message.

I also don't see how people who actually _read_ my message would agree
with the chairs' puzzling list of accusations (namely, that I'm making
"personal attacks"; imputing "motives to other CFRG participants"; using
"deliberately provocative language"; not taking a "professional" tone;
crossing "the line of acceptable behavior"; etc.). Of course, anyone who
_does_ see a problem anywhere in any of my CFRG messages is welcome to
discuss the details with me, in private or in public; but I would
suggest to everyone here---including the chairs---that the CFRG mailing
list should focus on technical issues rather than such side discussions.
My own message started with the relevant procedural background but was
almost entirely about the technical issues, and obviously my messages
overall are very close to 100% about the technical issues, despite the
chairs now (to my disappointment) dragging the percentage down.

I also don't expect my message to cause discussion out of proportion to
the importance of the underlying issues. The reason for the message, as
I said, is for the security advantages of Curve25519 over PinkBikeShed
to be clear for the public record. I don't see any actual technical
dispute remaining; perhaps there will be a few more messages in the
"Mishandling twist attacks" thread, but people who aren't interested can
easily disregard those messages. Of course, it's possible that some of
the related issues will be important for curves that are still on the
table; those issues can and should start new threads.

---Dan

P.S. Happy new year, everybody! Let's try to get the whole Internet
properly authenticated and encrypted in 2015.