Re: [Cfrg] draft-black-rpgecc-00-.txt [was: Consensus and a way forward]

[Alyssa Rowan <akr@akr.io>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 27/11/2014 04:25, Benjamin Black wrote:

> Over the past couple of weeks we have been working with Adam
> Langley to see if we could find a compromise with which we could
> all live. I'm pleased to say we have been successful in
> accommodating our respective performance and trustworthy generation
> concerns, and I hope the resulting proposal will be attractive to
> others, as well. The generation procedure is document in a draft
> I've just posted that can be found at 
> http://www.ietf.org/id/draft-black-rpgecc-00.txt .

An interesting proposal (of course, not a consensus as Hannes has
pointed out, only a proposal representing a compromise between the
authors).

The IPR section in that draft is remarkably short: of course you
cannot patent numbers. (That's copyright's job. <g>) In order to
satisfy IP1 and IP2 requirements we're going to need more information
about the status of specific algorithms on those curves which people
will actually use. As Dan Brown's recent message should highlight, we
should evaluate the patent status and can't ignore it (unless we plan
on ignoring them for long enough that they go away, and in that case,
we need to know when!).

In order to evaluate the performance of simple and secure
implementations of algorithms over these curves, of course we are also
going to need safe, efficient implementations for those algorithms,
ideally available under a liberal licence so stakeholders can actually
use it (specifically I'm afraid Apache 2.0 won't do due to its licence
incompatibilities), which also satisfy our patent concerns. Do you
have such an implementation ready to publish that we can plug into
SUPERCOP?

As this is an exercise in transparency, which is the most important
thing that we hope to differentiate anything we produce from, say, the
NIST curves, kindly disclose onto this list all of the technical
discussions which have produced these compromise in criteria between
the authors (or, in the alternative, hold them here afresh and let's
see if they produce the same consensus). That is a discussion that I
feel should be properly held publicly here, and at the very least,
absolutely requires public documentation for posterity.

I note that if you run your algorithm on 2^521-1 you get E-521. If you
ran it on 2^255-19, why didn't you get the twisted Edwards form of
Curve25519? Kindly elucidate your objections to the same.

- -- 
/akr
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUdstzAAoJEOyEjtkWi2t6PvAQAJ53cc/JJZsFyxkLOiU2VeVw
auM4TmktI85jRY0sytnVtbYKapgoZ4dS4nD3DVBLHNMhToS0M3khB9MuqY40xe4K
/JSm9NriaQhheEaCNzfEqbqMMs2E8Ycs3SLU9TZSbjzzo4vLot2YEWGhlPja0QyN
zQcBaikWzAqjJByCWpjAVd74l299+HS7W74AnbQk2n4J7MgEDzKPnPQ0KfZHp+N/
1GOwkgJ+yuaEIwopioUQ6pqIaQ9C+N17r9O9LtSO3yIK7iPgiS31RgR/zy34cPV8
UP82YO9WhVLJemIt2aQ/O4evl5TvwNgWBh+zQVmMyRDb3KSpnhJ5fmmeTjzRv4I8
aoM9Hg3BwjI2AN8XmGmfETycRFxaLK+pBdRcaJ0UtRmTUyN4n01eqns+cGFWYWnK
zN21G7m1dCSQBMHJwdnJZXAhpSwirMTU+UYE/UKp9dxwhYaN/3pv+eT6wu/rVEuO
IQ4cBvR7GxcreZwOX5X0P65ykYwmOZODphbaPXE54DwWkTl+YZkwzCfg/T8v1voC
TkKNRX//7H43fceqSFuKm0SJZEcyajDYAW50M/1vc7SLfhLS0m66490q0zs4edCj
cnCPjUdTkbDBonu/h8ioV6UBBpoEb1p6LgRs4I7OZc9dPvmG11UpTCSuObY0oKeX
LIVnyjgMv200PQWdVWkZ
=FSc+
-----END PGP SIGNATURE-----