CFRG Meeting at IETF 109 Date: Tuesday, November 17, 2020 Time: 05:00-07:00 UTC (or 12:00-14:30 UTC+7) Meetecho: https://meetings.conf.meetecho.com/ietf109/?group=cfrg&short=&item=1 Jabber: cfrg@jabber.ietf.org Notes: https://codimd.ietf.org/notes-ietf-109-cfrg Chairs Alexey Melnikov alexey.melnikov@isode.com Nick Sullivan nick@cloudflare.com Stanislav Smyshlyaev smyshsv@gmail.com MINUTES CFRG Update Stanislav talks about CFRG document status OPAQUE (15+5; Christopher Wood) Christopher Patton: who initiates AKE? Christopher: Information from the client is needed first. So 3 round trips. Stanislav: during PAKE selection process we had many secyrity reviews. Are any security proofs needed? Christopher: No, design decisions made earlier make this easier, such as removing need for key-committing AEADs. But additional analysis may be needed for new instantiations (such as TLS 1.3 with Exported Authenticator integration) CPace (10+5; Bjoern Haase) Stanislav: are there any ideas of integration of CPace with some of IETF procotols? Bjorn: there is some interest from TLS, but no draft yet Ristretto+Decaf (15+5, Henry de Valence) Stanislav: can you remind chairs what is the next steps for the draft next week? Bjorn: do you plan to synchronize hash-to-curve algorithm with CFRG’s hash-to-curve draft? Henry: it is important for us to keep backward compatibility. Can hash-to-curve be used in such mode? Christopher Wood: we basically do what you suggest. We specify hash-to-ristretto255 and hash-to-decaf448 using the ristretto/decaf maps. AEAD limits (5+5, Martin Thomson) Dan: is your SIV analysis for SIV-GCM specifically or SIV generically? Martin: it is for SIV-GCM. Yoav Nir [jabber]: Can you provide advice on “how many Gbs I can use this AEAD with?” RFC 5297 discusses this question in the same way that RFC 5119 discusses GCM/CCM. But that is not satisfactory, hence this draft. I suggest looking at the SIV paper https://web.cs.ucdavis.edu/~rogaway/papers/keywrap.pdf Martin: unfortunately not that simple, as this depends on message sizes and number of messages. VOPRFs (10+5, Armando Faz Hernandez) Secure Crypto Config (10+5, Kai Mindermann) Ekr: thank you for the presentation, having some secure defaults sounds like a good idea. I am less optimistic about machine readable and self updating looks problematic. Rich: Redhat is doing lots of work on crypto profiles. It might be worth reviewing this. AOB Stanislav (responding to jabber comments): SPAKE2 predates PAKE selection and it is needed by one of IETF WG (Kitten). The document now has a disclaimer why it is being published.