Minutes IETF102: cfrg

Meeting Minutes Crypto Forum (cfrg) RG
Title Minutes IETF102: cfrg
State Active
Other versions plain text
Last updated 2018-09-04

Meeting Minutes

CFRG Minutes - IETF 102 - Montreal
Chair - Alexey Melnikov, Kenny Paterson
Notes - Joe Salowey

- Prelude - Alexey

Alexey: Kenny not present.  CFRG is looking for a third chair.
Alexey: Chairs need to follow-up on PKEX and several other drafts

- Hashing to Elliptic Curves - Chris Wood

Stephen Farrell: Options cause confusion, can we get rid of options?
Chris: Start with survey of design space, then set one set for each case
Stephen: That would be good to limit options
Rob: Reference implementation is good idea

- VRF (Verifiable Random Function) - Leo Reyzin

Seeking feedback for several items listed in slides

Stanislav: Good work.  Draft has improved.  VRF security more strict than
signatures.  Move hash based signature ideas to VRFs? Leo: Heard about lattice
base VRFs, but not hash based signatures

Chris Wood: converge on hash2curve with hash2curve
Leo: Can define a ciphersuite to account for discrepencies
Harkins (Jabber): Is it possible to make this generic?
Leo: For specific curves you have to different things
Robin Wilton: can you specify an offset for the hash
Stanislav:  What applications are VRF used for?
Leo: Algorand and NSEC5 amongst others
Stanislav: Happy to provide review

- Randomness - Stanislav

David McGrew: Analysis assumption that signature of Tag 1 is not available to
attacker.  May not always be the case.  Should be noted in document. Stanislav:
Yes, should be noted in security considerations under what conditions security
is maintained.

New draft before IETF-103

- OPAQUE - Hugo Krawczyk (HK)

Chris Wood (CW): Is OPRF the same?
HK: Exponential vs multiplicative
CW: Which protocols?
HK: KCI type protocols
CW: Some drafts in TLS WG

Stanislav: Should not use the same private key with different servers
Hugo: Private key is transient so no need to use with multiple servers
Stanislav: Should document this, in order to avoid "naive" implementations

Bob MOskowitz: Link to draft didn't work?
HK: Try PDF link, it works

Dave McGrew: Should talk to Richard Barnes.  Secure password protocols are a
meaningful improvements.

Sharon: Notation inconsistencies.  Should converge notation for CFRG between
all RG.

- Kangaroo Twelve - Benoit Viguier

Stanislav - Bringing this to ISO? They are working on hash functions.
Benoit - did not know about that.