RE: [W3C Web Crypto WG] CfC : Call for Consensus on the integration of curve25519 in WG deliverables (please vote until the 26th of August)

-1
I strongly object to this Call for Consensus being put before the Working Group at this time.  I have three reasons for objecting to this call as premature:

  1.  The Curve25519 proposal that has been submitted is not a proposal to add a new elliptic curve for use with any elliptic curve algorithm but rather a proposal to add a new key agreement algorithm using a new black-box function that wraps a new elliptic curve which must be used in Montgomery form.  Additionally, the import and export key routines require Montgomery-form elliptic curve points using only the X coordinate which differs from all other existing elliptic curve implementations in use today.  The proposal inherits these Montgomery-form restrictions from the original Curve25519 paper (which did the same thing).


While this working group has not discussed any of the problems related to Montgomery-form curves, there has been extensive discussion and debate on the CFRG list of this issue. No other curve submitted to CFRG for consideration has been specified in Montgomery form, not even the other curves proposed by Dan Bernstein, and in order to use the elliptic curve underlying the Curve25519 black-box function for other elliptic curve algorithms (such as ECDSA) it is first necessary to transform the curve into another curve form entirely and implement curve arithmetic for that form too.  Over on the CFRG list I and others have raised significant objections to requiring implementers additionally to implement Montgomery-form curve arithmetic solely for use by the Curve25519 black-box function for a key agreement algorithm.  This working group needs to fully discuss the pros and cons of accepting a proposal that mandates adding Montgomery-form elliptic curve support to compliant implementations before actually doing so.



  1.  Related to Point 1, this working group has also not adequately debated the issue of specifying  new elliptic curves as new algorithms, as is done in this proposal, instead of as algorithm parameters as is more commonly done.  As I wrote yesterday, I have not yet seen any strong arguments for doing so.  Instead of specifying a new key agreement algorithm mandating use of Montgomery-form elliptic curve arithmetic, the proposal could have alternatively simply specified the elliptic curve underlying the Curve25519 black-box Diffie-Hellman function in twisted Edwards form and used it with our existing elliptic curve algorithms.



  1.  The working group has not yet made a decision concerning my proposal to add the NUMS curves to the main specification, a proposal which was submitted on time per Virginie's original schedule.  Until a decision is made about that proposal, this working group should not be making any decisions about subsequent proposals that were not submitted in a timely fashion.
--bal

From: GALINDO Virginie [mailto:Virginie.Galindo@gemalto.com]
Sent: Monday, August 25, 2014 8:32 AM
To: public-webcrypto@w3.org
Cc: webcrypto@trevp.net; hhalpin@w3.org; Wendy Seltzer
Subject: [W3C Web Crypto WG] CfC : Call for Consensus on the integration of curve25519 in WG deliverables (please vote until the 26th of August)

Hi all,
This is a kind reminder that this thread is still live until tomorrow. If you have some opinion to give, it is now.
There was already an objection to that resolution [1], but this is not a reason for not answering to it. Any feedback will help the chair to evaluate endorsement/rejection/alternative to that resolution.
Regards,
Virginie

[1] http://lists.w3.org/Archives/Public/public-webcrypto/2014Aug/0107.html


From: GALINDO Virginie [mailto:Virginie.Galindo@gemalto.com]
Sent: mardi 12 août 2014 15:22
To: public-webcrypto@w3.org<mailto:public-webcrypto@w3.org>
Cc: webcrypto@trevp.net<mailto:webcrypto@trevp.net>; hhalpin@w3.org<mailto:hhalpin@w3.org>; Wendy Seltzer
Subject: [W3C Web Crypto WG] CfC : Call for Consensus on the integration of curve25519 in WG deliverables (please vote until the 26th of August)

Dear all,

I would like to call for consensus on the way we will move forward with the contribution provided by Trevor Perrin describing Curve25519 operation [1]. We discussed several options and I would like to submit the following resolution to your vote.

Proposed resolution : the WG agrees on the principle that Curve25519 will be added to Web Crypto WG deliverables as an extension to the Web Crypto API specification. An extension being here a separate specification having its own Recommendation Track.

Deadline : votes have to be expressed expected until 26th of August 23:59 UTC
Guideline for voting : reply to all to this mail, indicating, +1 if you agree with the resolution, -1 means if you object, 0 if you can live with it. While silence means implicit endorsement of the resolution, explicit expression of vote is encouraged, to help the chair measuring the enthusiasm of the WG participants.

Note the following additional information :

-          This extension will be used as a beta test for the extensibility mechanism that we need to address as raised in bug 25618

-          The proposed editor is Trevor, as long as Trevor agrees to maintain the document

-          This resolution does not imply that the draft submitted by Trevor is endorsed in its current state, as the WG did not have a chance to discuss the content. The discussion about that content can be conducted over the mailing list, or during a dedicated call, where we will invite Trevor.

Have a great week !
Virginie
Chair of the Web Crypto WG

[1] http://lists.w3.org/Archives/Public/public-webcrypto/2014Aug/0064.html

________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.