Re: [Cfrg] should the CFRG really strive for consensus?

Yoav Nir <> Wed, 31 December 2014 17:15 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 10BD71A00F0 for <>; Wed, 31 Dec 2014 09:15:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.6
X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NtbFI_PkqmhU for <>; Wed, 31 Dec 2014 09:15:25 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c05::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 608E81A0203 for <>; Wed, 31 Dec 2014 09:15:20 -0800 (PST)
Received: by with SMTP id ex7so25832249wid.9 for <>; Wed, 31 Dec 2014 09:15:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=PorrCturkPZ671vcTACL7mNBEnM6Q33aHpqNtIcMsbQ=; b=G09B/juLSSN39J4PYwibkuonDB2OCfoJo+bCZNcpgN5TtinL6KhjzA2GK+v9iKBYda jlI3zelLkYHXiwEsioan2LJ6wGF2mlTSxYrK2Dp2NG7FTfizQ0Uepq5/sYaAQ9HtIBUe d1fchznsoKNu3m1hacudTNyLDrbq85+phn90TC+6dcLqbG7Y8ts0NFftGXRxFMp27b5Y ZYbSqp2oGsoWehc32gjUvV0IYGpHcyujx9hOUi+2Qu180LJFcVzZKgzKvJ/XNt5633LP jrfy9M8FxyDxznCBvFHQEOX3VHWZG91oDBuOQYIYBV2zKy9osYp/sg2r6B5qIp4xu6PI P2Hw==
X-Received: by with SMTP id fi8mr117831057wib.77.1420046118919; Wed, 31 Dec 2014 09:15:18 -0800 (PST)
Received: from ([]) by with ESMTPSA id wz5sm58218791wjc.29.2014. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 31 Dec 2014 09:15:18 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <>
In-Reply-To: <>
Date: Wed, 31 Dec 2014 19:15:15 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <>
To: Rich Salz <>
X-Mailer: Apple Mail (2.1993)
Cc: Adam Langley <>, "" <>
Subject: Re: [Cfrg] should the CFRG really strive for consensus?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 31 Dec 2014 17:15:27 -0000

> On Dec 31, 2014, at 6:29 PM, Salz, Rich <> wrote:
>> IRTF groups do not, technically, have to reach consensus. However, everyone does have to function on the same Internet at the end of the day.
> Neither does the IETF.  As I recall, the phrase is rough consensus.  At least as regards X25519, I think it's pretty obvious that Microsoft is in the rough.

The consensus process is pretty terrible at choosing between two or more non-horrible alternatives. It’s fairly easy for relatively small groups to block consensus.

When it works, the consensus process produces the best solution that won’t get a group of participants to say, “This sucks, we’re taking out ball and going home.” In our terms that would be Microsoft declaring that the product of this process is not going into Explorer and IIS. 

Compare the process for the ChaCha20+Poly1305 draft. We submitted it, there were several suggestions for improving the text, one suggestion to improve the construction, which was accepted, and a couple of suggestions to modify the base algorithms that were not accepted and no big arguments came out of it. Contributions included better text, pseudo-code, links to research papers about the algorithms, and a more thorough set of test vectors. The group made the document better until there was consensus that it was done.

If the only proposal before CFRG was Curve25519, the process would be the same. I think the extra proposals caught the chairs by surprise. But regardless, it exposed how bad the consensus process is at choosing. For extra fun, see two similar cases at the IETF in the IPsecME working group. 

And now I should  add a sentence that starts with, “And the key to fixing this is…”, but I can’t. As long as we all want to interoperate on the same Internet, and as long as we don’t have any format authority (the way NIST does), we are forced to do our best to avoid people “taking their ball and going home”.  I don’t know how to fix this.