CFRG Interim Meeting Wednesday, April 22, 2020 16:00 - 17:30 UTC, Virtual Minutes Kenny Patterson stepped down as chair, replaced by Stanislav Smyshlyaev New shepherd needed for SPAKE2 PAKE Selection: CPace (Björn Haase) and OPAQUE (Hugo Krawczyk) selected Need to create document "Recommendations for password-based authenticated key establishment in IETF protocols" Question from chairs: one or two documents: Russ Housley: Support for option 2 Vasily Dolmatov: If we select option two there should be cross pointers between the two documents, and guidance for which to select. Yoav Nir: Are these documents defining the protocols, or just the recommendations? Stanislav Smyshlyaev: Define the protocols in these documents Yoav Nir: Then two documents Yaron Sheffer: 2 documents so it can be made clear which IPR concerns apply to which document Daniel Migault: 3 documents - one general, two specific. Stanislav Smyshlyaev: We'll take all of this to the mailing list No support for option 1 (one document) Oleg Taraskin (OT) - Approaches to the problem of making PAKEs quantum-safe: Scott Fluhrer (SF): Does the security reduce to the SIDH problem? OT: We have an incomplete proof, we're working on it. SF: This is not the only proposed PQ PAKE. We need another competition to select one. Björn Haase (BH): Please compare the computational efficiency to other schemes, e.g. lattice based schemes. OT: 10X length messages, but more performance. We have broken other schemes in the past. BH: OPRF construction needed for OPAQUE is DH based, and thus not PQ-safe. Are you aware of any other construction that can replace the DH part of OPRF? OT: No. Uri Blumenthal (UB): I support Oleg's work Phillip Hallam-Baker (PHB) - Threshold Modes for ECDH Algorithms: Chelsea Komlo: FROST draft - there are some differences - what are the use cases beyond the mathematical mesh - in other schemes there are untrusted modes for example. PHB: I am open to other use cases. UB: Are there any concerns about quantum-resistance? PHB: No, this is just as secure as the EC things it's based on. None of the PQ schemes are mature enough for us to consider a post-quantum secure version. Scott Fluhrer - Additional stateful hash based signature parameters: No questions John Mattsson - Deterministic ECDSA and EdDSA Signatures with Additional Randomness: PHB: The threshold work I propose has the same effect. If both go ahead, we're going to need to coordinate. JM: I don't think it's a very good solution for IoT because it involves some more multiplications. BH: Are you aware of any paper that describes the effectiveness of the zero padding? JM: Yes, [...] moving the message into the next hash invocation fixes all their attacks. SF: [Put the input somewhere else, hard to hear] JH: No objections BH: Follow up to SF. One should try and avoid injecting the secret several times into the hash function, because it might make side channel attacks even worse. Hash operations mighmt be quite costly on side channel hardened hardware. Rene Struik: Why does CFRG want to provide the details of an ephemeral key generation? CFRG has almost zero expertise in side-channel management. SS: I support this work, and we do have some experts, and CFRG is the right place BH: +1 to SS RS: Deterministic bad. Need new codepoints to fix the problem. COSE etc. pointing it [RFC 8032] should never have reached the finish line. Watson Ladd: We should not change code point.Introduces interop problems. Current devices would need to support both. RS: IETF always mentions algorithm agility, but whenever changes are proposed current install base is mentioned. We should have a diediedie document and fix the issues. AOB RS: How do you submit errata for the IRTF? AM: Goes to the IRSG. PHB: Unicorn data fingerprint: Message digest fingerprints in base32 with an algorithm identifier. Has developed and added features, might now fall under CFRG remit. AM: Send an email to the chairs. We'll follow up. Colin Perkins: There are a bunch of errata that still need to be verified. Look out for those in the coming weeks.