Minutes IETF109: cfrg
||Minutes IETF109: cfrg
CFRG Meeting at IETF 109
Date: Tuesday, November 17, 2020
Time: 05:00-07:00 UTC (or 12:00-14:30 UTC+7)
Jabber: firstname.lastname@example.org Notes: https://codimd.ietf.org/notes-ietf-109-cfrg
Alexey Melnikov email@example.com
Nick Sullivan firstname.lastname@example.org
Stanislav Smyshlyaev email@example.com
Stanislav talks about CFRG document status
OPAQUE (15+5; Christopher Wood)
Christopher Patton: who initiates AKE?
Christopher: Information from the client is needed first. So 3 round trips.
Stanislav: during PAKE selection process we had many secyrity reviews.
Are any security proofs needed?
Christopher: No, design decisions made earlier make this easier, such as
removing need for key-committing AEADs. But additional analysis may be needed
for new instantiations (such as TLS 1.3 with Exported Authenticator integration)
CPace (10+5; Bjoern Haase)
Stanislav: are there any ideas of integration of CPace with some of IETF
Bjorn: there is some interest from TLS, but no draft yet
Ristretto+Decaf (15+5, Henry de Valence)
Stanislav: can you remind chairs what is the next steps for the draft next week?
Bjorn: do you plan to synchronize hash-to-curve algorithm with CFRG’s
Henry: it is important for us to keep backward compatibility. Can hash-to-curve
be used in such mode?
Christopher Wood: we basically do what you suggest. We specify
hash-to-ristretto255 and hash-to-decaf448 using the ristretto/decaf maps.
AEAD limits (5+5, Martin Thomson)
Dan: is your SIV analysis for SIV-GCM specifically or SIV generically?
Martin: it is for SIV-GCM.
Yoav Nir [jabber]: Can you provide advice on “how many Gbs I can use this AEAD
with?” RFC 5297 discusses this question in the same way that RFC 5119 discusses
GCM/CCM. But that is not satisfactory, hence this draft. I suggest looking at
the SIV paper https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf
Martin: unfortunately not that simple, as this depends on message sizes and
number of messages.
VOPRFs (10+5, Armando Faz Hernandez)
Secure Crypto Config (10+5, Kai Mindermann)
Ekr: thank you for the presentation, having some secure defaults sounds like a
good idea. I am less optimistic about machine readable and self updating looks
Rich: Redhat is doing lots of work on crypto profiles. It might be worth
Stanislav (responding to jabber comments): SPAKE2 predates PAKE selection and
it is needed by one of IETF WG (Kitten). The document now has a disclaimer why
it is being published.