From nobody Tue Feb  9 20:20:07 2021
Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 4F9FB3A1338
 for <cfrg@ietfa.amsl.com>; Tue,  9 Feb 2021 20:20:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level: 
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
 header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 6jDkHgt0r1u8 for <cfrg@ietfa.amsl.com>;
 Tue,  9 Feb 2021 20:20:04 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com
 [IPv6:2a00:1450:4864:20::52a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 51AB73A1333
 for <cfrg@irtf.org>; Tue,  9 Feb 2021 20:20:03 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id y18so1126323edw.13
 for <cfrg@irtf.org>; Tue, 09 Feb 2021 20:20:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=ecCLchk/s5eEPg0Gb3PC9ZP4DRYFPsmr+ksnHpqF04Y=;
 b=jaeasHAaMuHod+SeG74Nr+3J1yVH5l7JUP0mCmDIUIJatsDgtD+AvoiuY35PXLlF/v
 UnRKlpMvukBTFqcC1Unl33uns+2B19M3iljsiUWD0UuikBD5YMzxlJ/y0bTNzqQAuH9T
 COtlxLC4nXFehOhzhslqslsNvo/nbBmbQkQwdG4Ow6xGimkCI1iFv+ynrujitxs5+TcY
 3TCaBd91lpPBuqgw6wB19hu/qEslwjf+g7FN3wwUbt4Bg/x0BB5dRLlCa+4oSGYYZpEU
 6oO/fN0d4rfQ1mS9wpFffD6qMPhWMt1wjM6hRfO80Qtms16SKueyD+u3gsywe5CXKPhI
 kgAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=ecCLchk/s5eEPg0Gb3PC9ZP4DRYFPsmr+ksnHpqF04Y=;
 b=MoqspvxWq8JWICMxOkKdDWbBymHI33NazdEkh754oQSssDQofrTqRtHOMYB/GfVYUV
 K5YecXaNgjG8v3eR2YthWmxQfYUOhM2D7ijz/aNNgbRIa8RoikXKYmJmeCsx9I2Tpnsy
 WKMXwtKJQTkbjiFoDUZQtp07NQu3lDmDO9tfHd9HWC8KzkFYZgEP5u+ekxPYbaUvtq2j
 kWvKztCrJPGTlHZe/K5lsJ1cb71byTcaZ2kIuHbiUYJebQx8/isC6HtZUWXGw+vn1cls
 Mn4kQyyFUL9AJa1IFGMvph8wzemcndY6IiGLO88TtKpfiVFdG1m66249EzRUhj6FV8Jl
 idnQ==
X-Gm-Message-State: AOAM5335PUKfBcemkvo71nb+tYDbnCBgTbX32QdQHbIvc8aQJwcCQgpH
 dXeS89XZqoDoi1Szm2AhLHN6S5ajx/MjA2PflxU=
X-Google-Smtp-Source: ABdhPJx1ZlmVzMKQJpL4aygRimRoLQzOOfKjmqN1FjKQ3WorGRIfYrfvdFK54F0XzXGqtiwjSHpd7gPLsOJrL3IpnPE=
X-Received: by 2002:aa7:d1da:: with SMTP id g26mr1352085edp.154.1612930801421; 
 Tue, 09 Feb 2021 20:20:01 -0800 (PST)
MIME-Version: 1.0
References: <CAFDDyk9sGYePo=oyfF6++FjLsxksBQV9TgU0CwRU0vTRN-=D3Q@mail.gmail.com>
In-Reply-To: <CAFDDyk9sGYePo=oyfF6++FjLsxksBQV9TgU0CwRU0vTRN-=D3Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 9 Feb 2021 20:19:50 -0800
Message-ID: <CACsn0ckmHtAMfmduBBbA0HQ9uxh4sZSP0PBc+GZcW6P=z+EXxg@mail.gmail.com>
To: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
Cc: CFRG <cfrg@irtf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/wu3Mu5qBvkRu6D6BMhW3iWvo5NM>
Subject: Re: [CFRG] draft-irtf-cfrg-vrf-08 research group last call (RGLC)
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>,
 <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>,
 <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2021 04:20:06 -0000

On Tue, Feb 9, 2021 at 9:10 AM Nick Sullivan
<nick=40cloudflare.com@dmarc.ietf.org> wrote:
>
> Dear CFRG participants,
>
> The VRF draft has received significant reviews from the RG and the crypto panel and is ready for last call. This email commences a 2-week last call for this document that will end on Feburary 23, 2021:
>
> https://datatracker.ietf.org/doc/draft-irtf-cfrg-vrf/

I have read the document and support publication.

My one textual comment is that typically implementation status is in a
section that says "Note to RFC editor: Remove before publication".

My one trivial substantive comment is that forcing recomputation by
the verifier of the points hashed to produce the challenge, rather
than having them hash the commitments to obtain the challenge and
verify the equations, prevents batching of verification. In
applications where multiple proofs are verified at once this is a big
improvement.

My serious substantive comment is that the formation of the
distinguisher string imposes limitations on the hash2curve registry as
the encoding is not injective. The anachronist in me suggests RS as a
way to split the different parts of the distinguisher. Hash points
seems to assume that the point format will be self-delineating. I
think this can be fixed as part of the last call comments.

Sincerely,
Watson Ladd

-- 
Astra mortemque praestare gradatim