Minutes IETF109: cfrg
minutes-109-cfrg-00

CFRG Meeting at IETF 109

Date: Tuesday, November 17, 2020
Time: 05:00-07:00 UTC (or 12:00-14:30 UTC+7)
Meetecho: https://meetings.conf.meetecho.com/ietf109/?group=cfrg&short=&item=1
Jabber: cfrg@jabber.ietf.org
Notes: https://codimd.ietf.org/notes-ietf-109-cfrg

Chairs
Alexey Melnikov alexey.melnikov@isode.com
Nick Sullivan nick@cloudflare.com
Stanislav Smyshlyaev smyshsv@gmail.com

MINUTES
CFRG Update
Stanislav talks about CFRG document status

OPAQUE (15+5; Christopher Wood)
Christopher Patton: who initiates AKE?

Christopher: Information from the client is needed first. So 3 round trips.

Stanislav: during PAKE selection process we had many secyrity reviews.
Are any security proofs needed?

Christopher: No, design decisions made earlier make this easier, such as
removing need for key-committing AEADs. But additional analysis may be needed
for new instantiations (such as TLS 1.3 with Exported Authenticator integration)

CPace (10+5; Bjoern Haase)
Stanislav: are there any ideas of integration of CPace with some of IETF
procotols?

Bjorn: there is some interest from TLS, but no draft yet

Ristretto+Decaf (15+5, Henry de Valence)
Stanislav: can you remind chairs what is the next steps for the draft next week?

Bjorn: do you plan to synchronize hash-to-curve algorithm with CFRG’s
hash-to-curve draft?

Henry: it is important for us to keep backward compatibility. Can hash-to-curve
be used in such mode?

Christopher Wood: we basically do what you suggest. We specify
hash-to-ristretto255 and hash-to-decaf448 using the ristretto/decaf maps.

AEAD limits (5+5, Martin Thomson)
Dan: is your SIV analysis for SIV-GCM specifically or SIV generically?

Martin: it is for SIV-GCM.

Yoav Nir [jabber]: Can you provide advice on “how many Gbs I can use this AEAD
with?” RFC 5297 discusses this question in the same way that RFC 5119 discusses
GCM/CCM. But that is not satisfactory, hence this draft. I suggest looking at
the SIV paper https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf

Martin: unfortunately not that simple, as this depends on message sizes and
number of messages.

VOPRFs (10+5, Armando Faz Hernandez)
Secure Crypto Config (10+5, Kai Mindermann)
Ekr: thank you for the presentation, having some secure defaults sounds like a
good idea. I am less optimistic about machine readable and self updating looks
problematic.

Rich: Redhat is doing lots of work on crypto profiles. It might be worth
reviewing this.

AOB
Stanislav (responding to jabber comments): SPAKE2 predates PAKE selection and
it is needed by one of IETF WG (Kitten). The document now has a disclaimer why
it is being published.