Minutes interim-2020-cfrg-01: Wed 09:00
||Minutes interim-2020-cfrg-01: Wed 09:00
CFRG Interim Meeting
Wednesday, April 22, 2020
16:00 - 17:30 UTC, Virtual
Kenny Patterson stepped down as chair, replaced by Stanislav Smyshlyaev
New shepherd needed for SPAKE2
CPace (Björn Haase) and OPAQUE (Hugo Krawczyk) selected
Need to create document "Recommendations for password-based authenticated key
establishment in IETF protocols"
Question from chairs: one or two documents:
Russ Housley: Support for option 2
Vasily Dolmatov: If we select option two there should be cross pointers between
the two documents, and guidance for which to select. Yoav Nir: Are these
documents defining the protocols, or just the recommendations? Stanislav
Smyshlyaev: Define the protocols in these documents Yoav Nir: Then two
documents Yaron Sheffer: 2 documents so it can be made clear which IPR concerns
apply to which document Daniel Migault: 3 documents - one general, two
specific. Stanislav Smyshlyaev: We'll take all of this to the mailing list No
support for option 1 (one document)
Oleg Taraskin (OT) - Approaches to the problem of making PAKEs quantum-safe:
Scott Fluhrer (SF): Does the security reduce to the SIDH problem?
OT: We have an incomplete proof, we're working on it.
SF: This is not the only proposed PQ PAKE. We need another competition to
select one. Björn Haase (BH): Please compare the computational efficiency to
other schemes, e.g. lattice based schemes. OT: 10X length messages, but more
performance. We have broken other schemes in the past. BH: OPRF construction
needed for OPAQUE is DH based, and thus not PQ-safe. Are you aware of any other
construction that can replace the DH part of OPRF? OT: No. Uri Blumenthal (UB):
I support Oleg's work
Phillip Hallam-Baker (PHB) - Threshold Modes for ECDH Algorithms:
Chelsea Komlo: FROST draft - there are some differences - what are the use
cases beyond the mathematical mesh - in other schemes there are untrusted
modes for example. PHB: I am open to other use cases. UB: Are there any
concerns about quantum-resistance? PHB: No, this is just as secure as the
EC things it's based on. None of the PQ schemes are mature enough for us to
consider a post-quantum secure version.
Scott Fluhrer - Additional stateful hash based signature parameters:
John Mattsson - Deterministic ECDSA and EdDSA Signatures with Additional
PHB: The threshold work I propose has the same effect. If both go ahead,
we're going to need to coordinate. JM: I don't think it's a very good
solution for IoT because it involves some more multiplications. BH: Are you
aware of any paper that describes the effectiveness of the zero padding?
JM: Yes, [...] moving the message into the next hash invocation fixes all
their attacks. SF: [Put the input somewhere else, hard to hear] JH: No
objections BH: Follow up to SF. One should try and avoid injecting the
secret several times into the hash function, because it might make side
channel attacks even worse. Hash operations mighmt be quite costly on side
channel hardened hardware. Rene Struik: Why does CFRG want to provide the
details of an ephemeral key generation? CFRG has almost zero expertise in
side-channel management. SS: I support this work, and we do have some
experts, and CFRG is the right place BH: +1 to SS RS: Deterministic bad.
Need new codepoints to fix the problem. COSE etc. pointing it [RFC 8032]
should never have reached the finish line. Watson Ladd: We should not
change code point.Introduces interop problems. Current devices would need
to support both. RS: IETF always mentions algorithm agility, but whenever
changes are proposed current install base is mentioned. We should have a
diediedie document and fix the issues.
RS: How do you submit errata for the IRTF?
AM: Goes to the IRSG.
PHB: Unicorn data fingerprint: Message digest fingerprints in base32 with an
algorithm identifier. Has developed and added features, might now fall under
CFRG remit. AM: Send an email to the chairs. We'll follow up. Colin Perkins:
There are a bunch of errata that still need to be verified. Look out for those
in the coming weeks.