[Cfrg] Round 2 of the PAKE selection process

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Wed, 20 November 2019 06:02 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 979D612080E for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 22:02:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Isf45iUNecum for <cfrg@ietfa.amsl.com>; Tue, 19 Nov 2019 22:02:00 -0800 (PST)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7945F120807 for <cfrg@irtf.org>; Tue, 19 Nov 2019 22:02:00 -0800 (PST)
Received: by mail-lj1-x233.google.com with SMTP id y23so26076877ljh.10 for <cfrg@irtf.org>; Tue, 19 Nov 2019 22:02:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=R4fzONfmuwSOTh8KSi0qxgUX2kGzW7k3i9VbXmNjDfs=; b=YxQKFmqFUnmihc9r6RdtGRtJtkjl1fo1pCZGe/eWvqreb21ExdqoWMhv5sSb/4kJco A7Px+659p0N/rYISLmZDcpp51akSjoM8Ru1lW7g3szoEOP07yyGHV1vuxQpiHPg3QfMb PYd2P1s93Eem2BsnelU06KNLV2JFk8Sap/HNfa1JcKeE7oN15HYem+Ujd1i+tLGu1ccy l7Tmhx4lYE7eFRxdPR+/IVGHje+FeXnLX1gJhNS17zeTBeMOFzs6FOayIFIfncqVtCrY dnBcAYNTOc001BMPJgfEj6DLrUxS4Uh3AjIoxvOS+Y6+v3/Jn4ZKVBrAoVZz1k0MuMLh CNQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=R4fzONfmuwSOTh8KSi0qxgUX2kGzW7k3i9VbXmNjDfs=; b=AM+w5sku+wEBUAROvdfsZ6NLfBq55wDl/5NPZjVPWgBpjoNf2UB/kSZW2mNWsYa73v U91UCQwMX+n1BA+GZFpSLtQZN4+i2YqzaXxdI7kbE+jp+B9OBMxgG4DkmSCxvVJOj2Xj y/oa1kMw5YaIrPew/NCHfakNQ6HogTYF0OahIEm/gSqgYagt7CCCoUwy5llERuKw2dlv Ss5sRPQQPFKJRS9WXZkj9FmBT92KPcl6wZ5mb7Kv4zOJDsmAM4GUdCkSC78/dDxL3JDf iu9jgNnM2SeyxFN0UBjg7pWHDpdnbIxcL3MSMn1mzy32/aVfnThXxJJl4mzyygFasfE0 n9mQ==
X-Gm-Message-State: APjAAAV3LjFWZeH00b7oEUbJNhLQxQ/xtvzd6yzD3yeyEnxTAWDq5fx3 IOhOG9XHFPyJqDyMLDEQ55FGz+8HP0GRgGjJ1Ada98BDIno=
X-Google-Smtp-Source: APXvYqzkDDUb1XnCZM2Zdv27lMsTgWFKh1cB3/lBh3oC2c0iW6uqCXPzWZAnlUjiEhTEvafOBguOixMDX/4tLCBxz+s=
X-Received: by 2002:a2e:8508:: with SMTP id j8mr1021940lji.136.1574229717009; Tue, 19 Nov 2019 22:01:57 -0800 (PST)
MIME-Version: 1.0
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Wed, 20 Nov 2019 09:01:46 +0300
Message-ID: <CAMr0u6nPQxO5X1Txoeh5X7jN=eHscRCBH0HJW=3tbqUdjn8N4Q@mail.gmail.com>
To: CFRG <cfrg@irtf.org>
Cc: cfrg-chairs@ietf.org
Content-Type: multipart/alternative; boundary="00000000000013c8f40597c0ebaa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/-a1sW3jK_5avmb98zmFbCNLmpAs>
Subject: [Cfrg] Round 2 of the PAKE selection process
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Nov 2019 06:02:03 -0000

Dear CFRG,

As we've announced at the CFRG session today, now we're starting the Round
2 of the PAKE selection process.

We have narrowed down choices to: two balanced (SPAKE2 and CPace) and two
augmented (OPAQUE and AuCPace).

Some additional information can be found in my slides from the IETF 106
CFRG meeting:

Please take a look at the plan and especially at Stage 1 - please send your
additional questions to be considered at Round 2 to crypto-panel@irtf.org
until December, 5th.

Round 2 of the PAKE selection process
Stage 1: November, 21st - December, 5th
Additional questions for all four candidates are collected from CFRG
participants  (and Crypto Review Panel members). The questions can be of
one of possible types:
a) Requests for clarifications for the candidate protocols or their
proposed modifications (e.g., security of CPace and AuCPace without
negotiation of sid, security and convenient of SPAKE2 with a hash2curve
function used to obtain M and N for each pair of identifiers).
b) Questions to be taken into account in addition to ones collected at
Stage 1 of Round 1 (e.g., quantum annoyance, post-quantum preparedness).
The questions should be sent to crypto-panel@irtf.org.

Stage 2: December, 10th - December, 17th
A list of new questions is published on
https://github.com/cfrg/pake-selection; the CFRG is asked whether anything
else should be added.

Stage 3: December 25th - February, 10th
The authors of the candidates prepare their replies to the additional
questions/requested clarifications.

Stage 4: February, 12th - March, 10th
Crypto Review Panel members prepare new overall reviews (for all 4
remaining PAKEs) taking into account both the reviews obtained on Round 1
and new information obtained during Round 2.

IETF 107:
The CFRG chairs discuss the obtained reviews and make their recommendations
to CFRG (or convey to CFRG that they can’t make a recommendation yet).
If everything is clear:
- one (or zero) balanced PAKE is selected;
- one (or zero) augmented PAKE is selected;
- the process with CFRG document “Recommendations for password-based
authenticated key establishment in IETF protocols” is initiated: all
practically important recommendations (parameter selection, protecting
implementations against side-channel attacks, handling of counters etc.)
must be given there.

Best regards,
Stanislav Smyshlyaev
CFRG Secretary