Re: [Cfrg] Safecurves draft

Jon Callas <jon@callas.org> Thu, 09 January 2014 18:43 UTC

Return-Path: <jon@callas.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13F131AE50E for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 10:43:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CtmqZQtNezLZ for <cfrg@ietfa.amsl.com>; Thu, 9 Jan 2014 10:43:25 -0800 (PST)
Received: from mail.merrymeet.com (merrymeet.com [173.164.244.100]) by ietfa.amsl.com (Postfix) with ESMTP id 65ACB1AE50A for <cfrg@irtf.org>; Thu, 9 Jan 2014 10:43:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.merrymeet.com (Postfix) with ESMTP id 6D83B4AAEA2E for <cfrg@irtf.org>; Thu, 9 Jan 2014 10:43:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at merrymeet.com
Received: from mail.merrymeet.com ([127.0.0.1]) by localhost (merrymeet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F06tSIIn390J for <cfrg@irtf.org>; Thu, 9 Jan 2014 10:43:14 -0800 (PST)
Received: from keys.merrymeet.com (keys.merrymeet.com [173.164.244.97]) by mail.merrymeet.com (Postfix) with ESMTPSA id C14A74AAEA24 for <cfrg@irtf.org>; Thu, 9 Jan 2014 10:43:14 -0800 (PST)
Received: from [10.0.23.100] ([173.164.244.98]) by keys.merrymeet.com (PGP Universal service); Thu, 09 Jan 2014 10:43:14 -0800
X-PGP-Universal: processed; by keys.merrymeet.com on Thu, 09 Jan 2014 10:43:14 -0800
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Jon Callas <jon@callas.org>
In-Reply-To: <CACsn0ckufy9jfOXcMDA7WE+SzZUuuibucod8CkQeACnQam63-w@mail.gmail.com>
Date: Thu, 9 Jan 2014 10:43:14 -0800
Message-Id: <D186F1ED-DD2B-4A05-9E4C-617EA1249D24@callas.org>
References: <20140109031144.6111382.52184.8264@certicom.com> <20140109094731.GA12327@netbook.cypherspace.org> <CADMpkc+giuSZgrYmusRJmj5SyN9Dcu_Mdaqx5KQPyXGMmosFUw@mail.gmail.com> <CABqy+soXxjY+fEzpHP+_yn9Y1Xtapm_9OWbgDcA_J_Lukz_YLw@mail.gmail.com> <CADMpkcJFk2C5DPQX9RVWphUH25atsUX2vPA7RwNf8zbmR6dXJQ@mail.gmail.com> <CABqy+soX0xVWG0+vJs-_7O1Ur_hkDW0u0acCGZYrrtEci5QRXw@mail.gmail.com> <CADMpkcKptQrtXyaarkXiMpRyGmobEcywbTeTkkcb6uWB-yttwg@mail.gmail.com> <B29AD107-69D0-4EF5-9D5B-137C1E333AEA@shiftleft.org> <CACsn0ckufy9jfOXcMDA7WE+SzZUuuibucod8CkQeACnQam63-w@mail.gmail.com>
To: "cfrg@irtf.org" <cfrg@irtf.org>
X-Mailer: Apple Mail (2.1827)
X-PGP-Encoding-Format: Partitioned
X-PGP-Encoding-Version: 2.0.2
X-Content-PGP-Universal-Saved-Content-Transfer-Encoding: quoted-printable
X-Content-PGP-Universal-Saved-Content-Type: text/plain; charset=us-ascii
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Subject: Re: [Cfrg] Safecurves draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2014 18:43:27 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I concur that we shouldn't call it "safecurves" or anything like that. I think that definitely this needs to heed Paul Hoffman's advice on names coming back to bite us.

All crypto parameter sets have a lifespan where they're new and shiny, older and trusted, then kinda dodgy but accepted, and then outmoded or insecure. Each phase might be there for years or perhaps minutes. I've seen things go the entire lifecycle in an hour. We don't want the premature aging of one to tarnish the whole thing. Think about what you'd say when the Buzzfeed reporter calls you up for comment or background on their article "Ten Shocking Reasons Why SafeCurves are The Spawn of Satan" after a Eurocrypt paper has a new banana attack that shows a curve has ten fewer bits of security with 2^300 memory.

I also think there should be a quick set of names where we specify what's a Montgomery and what's Edwards. This is already needed and the reason why there's 25519 and Ed25519 in current parlance. If we *don't* do it here, then someone else will. It's too useful not to have it. 

You can have a table with common names and extended names and have the extended names have something simple like a suffix of M or E. It's easy to fit 25519 and Ed25519 into this as well.

	Jon






-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 3.2.0 (Build 1672)
Charset: us-ascii

wj8DBQFSzu3CsTedWZOD3gYRAvjQAJ9B7cbpze9iHhwEtb7V93IAuz2o3QCghrND
YuOdLybBrq7s0mdSfKRcbK8=
=uq7Y
-----END PGP SIGNATURE-----