CFRG Minutes - IETF 102 - Montreal Chair - Alexey Melnikov, Kenny Paterson Notes - Joe Salowey - Prelude - Alexey Alexey: Kenny not present. CFRG is looking for a third chair. Alexey: Chairs need to follow-up on PKEX and several other drafts - Hashing to Elliptic Curves - Chris Wood Stephen Farrell: Options cause confusion, can we get rid of options? Chris: Start with survey of design space, then set one set for each case Stephen: That would be good to limit options Rob: Reference implementation is good idea - VRF (Verifiable Random Function) - Leo Reyzin Seeking feedback for several items listed in slides Stanislav: Good work. Draft has improved. VRF security more strict than signatures. Move hash based signature ideas to VRFs? Leo: Heard about lattice base VRFs, but not hash based signatures Chris Wood: converge on hash2curve with hash2curve Leo: Can define a ciphersuite to account for discrepencies Harkins (Jabber): Is it possible to make this generic? Leo: For specific curves you have to different things Robin Wilton: can you specify an offset for the hash Stanislav: What applications are VRF used for? Leo: Algorand and NSEC5 amongst others Stanislav: Happy to provide review - Randomness - Stanislav David McGrew: Analysis assumption that signature of Tag 1 is not available to attacker. May not always be the case. Should be noted in document. Stanislav: Yes, should be noted in security considerations under what conditions security is maintained. New draft before IETF-103 - OPAQUE - Hugo Krawczyk (HK) Chris Wood (CW): Is OPRF the same? HK: Exponential vs multiplicative CW: Which protocols? HK: KCI type protocols CW: Some drafts in TLS WG Stanislav: Should not use the same private key with different servers Hugo: Private key is transient so no need to use with multiple servers Stanislav: Should document this, in order to avoid "naive" implementations Bob MOskowitz: Link to draft didn't work? HK: Try PDF link, it works Dave McGrew: Should talk to Richard Barnes. Secure password protocols are a meaningful improvements. Sharon: Notation inconsistencies. Should converge notation for CFRG between all RG. - Kangaroo Twelve - Benoit Viguier Stanislav - Bringing this to ISO? They are working on hash functions. Benoit - did not know about that.