Minutes interim-2020-cfrg-01: Wed 09:00

Meeting Minutes Crypto Forum (cfrg) RG
Title Minutes interim-2020-cfrg-01: Wed 09:00
State Active
Other versions plain text
Last updated 2020-04-23

Meeting Minutes

CFRG Interim Meeting

Wednesday, April 22, 2020
16:00 - 17:30 UTC, Virtual


Kenny Patterson stepped down as chair, replaced by Stanislav Smyshlyaev
New shepherd needed for SPAKE2

PAKE Selection:
CPace (Björn Haase) and OPAQUE (Hugo Krawczyk) selected
Need to create document "Recommendations for password-based authenticated key
establishment in IETF protocols"

Question from chairs: one or two documents:
Russ Housley: Support for option 2
Vasily Dolmatov: If we select option two there should be cross pointers between
the two documents, and guidance for which to select. Yoav Nir: Are these
documents defining the protocols, or just the recommendations? Stanislav
Smyshlyaev: Define the protocols in these documents Yoav Nir: Then two
documents Yaron Sheffer: 2 documents so it can be made clear which IPR concerns
apply to which document Daniel Migault: 3 documents - one general, two
specific. Stanislav Smyshlyaev: We'll take all of this to the mailing list No
support for option 1 (one document)

Oleg Taraskin (OT) - Approaches to the problem of making PAKEs quantum-safe:
Scott Fluhrer (SF): Does the security reduce to the SIDH problem?
OT: We have an incomplete proof, we're working on it.
SF: This is not the only proposed PQ PAKE. We need another competition to
select one. Björn Haase (BH): Please compare the computational efficiency to
other schemes, e.g. lattice based schemes. OT: 10X length messages, but more
performance. We have broken other schemes in the past. BH: OPRF construction
needed for OPAQUE is DH based, and thus not PQ-safe. Are you aware of any other
construction that can replace the DH part of OPRF? OT: No. Uri Blumenthal (UB):
I support Oleg's work

Phillip Hallam-Baker (PHB) - Threshold Modes for ECDH Algorithms:
    Chelsea Komlo: FROST draft - there are some differences - what are the use
    cases beyond the mathematical mesh - in other schemes there are untrusted
    modes for example. PHB: I am open to other use cases. UB: Are there any
    concerns about quantum-resistance? PHB: No, this is just as secure as the
    EC things it's based on. None of the PQ schemes are mature enough for us to
    consider a post-quantum secure version.

Scott Fluhrer - Additional stateful hash based signature parameters:
    No questions

John Mattsson - Deterministic ECDSA and EdDSA Signatures with Additional
    PHB: The threshold work I propose has the same effect. If both go ahead,
    we're going to need to coordinate. JM: I don't think it's a very good
    solution for IoT because it involves some more multiplications. BH: Are you
    aware of any paper that describes the effectiveness of the zero padding?
    JM: Yes, [...] moving the message into the next hash invocation fixes all
    their attacks. SF: [Put the input somewhere else, hard to hear] JH: No
    objections BH: Follow up to SF. One should try and avoid injecting the
    secret several times into the hash function, because it might make side
    channel attacks even worse. Hash operations mighmt be quite costly on side
    channel hardened hardware. Rene Struik: Why does CFRG want to provide the
    details of an ephemeral key generation? CFRG has almost zero expertise in
    side-channel management. SS: I support this work, and we do have some
    experts, and CFRG is the right place BH: +1 to SS RS: Deterministic bad.
    Need new codepoints to fix the problem. COSE etc. pointing it [RFC 8032]
    should never have reached the finish line. Watson Ladd: We should not
    change code point.Introduces interop problems. Current devices would need
    to support both. RS: IETF always mentions algorithm agility, but whenever
    changes are proposed current install base is mentioned. We should have a
    diediedie document and fix the issues.

RS: How do you submit errata for the IRTF?
AM: Goes to the IRSG.
PHB: Unicorn data fingerprint: Message digest fingerprints in base32 with an
algorithm identifier. Has developed and added features, might now fall under
CFRG remit. AM: Send an email to the chairs. We'll follow up. Colin Perkins:
There are a bunch of errata that still need to be verified. Look out for those
in the coming weeks.