[Cfrg] Raw minutes of today's meeting

Yoav Nir <ynir.ietf@gmail.com> Thu, 25 July 2019 21:19 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 064C1120278 for <cfrg@ietfa.amsl.com>; Thu, 25 Jul 2019 14:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xw0oQXmQ8VE2 for <cfrg@ietfa.amsl.com>; Thu, 25 Jul 2019 14:19:51 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFFC4120220 for <cfrg@irtf.org>; Thu, 25 Jul 2019 14:19:50 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id m14so11881854qka.10 for <cfrg@irtf.org>; Thu, 25 Jul 2019 14:19:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:to; bh=3jRJQyt/W18EmOmrLQlsWEAPnYZNnujMWqhlhS+v83E=; b=C8i5W+QtO4eJ4nPh3xTlZfGIB/CP3wc9o0mV6kzO2ij8sgFB26WYm/f57/FImmYZ0T hej63qLkbda6+5UDtLyw/rbwZXYONtskws66+bCI0np2LAUzhXWfPNw4m/x9Qjtv65gL e4jFOmHjRC0yAEGZq3+S40+reSlDrsM8S0L9TRGxM+4QkmgZCqzaGMbogDBervwh9Gi6 M1zCi+SJnb8wuhqayYcKo3kwJGK2mm+FfHpOJdYMJ4aotHnmVIl+f9QXyK5RKYC7yqgf Qc5CswJ4UqEEID33+sxYnM8tDCLyMrIhINQmQ1OvzYF5K513maVXbBRQFAZdcDyag91a +YHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=3jRJQyt/W18EmOmrLQlsWEAPnYZNnujMWqhlhS+v83E=; b=hX5V5OZtS8FvFKjD2L6ynlJ12Q9kNw4SbjInaba8yCWBCdRL1yvd/Pl71I2Tvk+fjO KayCScxD/H78s9TkJLuh8RKQzDn4ddymgpaXiAeH+4ropruZ5Q7eIs1nwpqLjAfF1k3d kzbmZ4yQfvAPIuWnsFwK8z4s2i+cR1t3a93ruJIc97clgEf3Uc1Fuy9xq/Mp+rDDWJxe MG5+SMcid7PB7sSPYkJL+IQxSsogXq3Ix7SNsRPC1bnOjTq/Ol2zMLzcTyfbnPze0RKv gDUU7v02Uct8ACR0jRPfj+UDDXegoOa39/I29vBh6v5smD/DT+DL6lrKyQUovlN2UMWU l9dw==
X-Gm-Message-State: APjAAAXAIA48ZM07qEF6Brqb7lLPCr7bg6cp1KGa8TPBLf9sTvzjgQ8l Y1dPfTgCxei37y9AezXT0AiVgT1W3+4=
X-Google-Smtp-Source: APXvYqxgv/pIKwYAbLSKB5RzRxk5BEpgOMpwcIG6ODEbZ6G5pnIXP4AtSeXsn2t6DpkhGU6jsyLFzw==
X-Received: by 2002:ae9:f010:: with SMTP id l16mr59157227qkg.292.1564089589618; Thu, 25 Jul 2019 14:19:49 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:4819:c58b:c480:fb39? ([2001:67c:370:128:4819:c58b:c480:fb39]) by smtp.gmail.com with ESMTPSA id 123sm20855227qkm.61.2019.07.25.14.19.48 for <cfrg@irtf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Jul 2019 14:19:48 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_926C274B-C87F-4856-ADA8-02CCD8ABBF2C"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <EC4ECAB6-C9F2-475D-8C9F-C9C66EE6DFEA@gmail.com>
Date: Thu, 25 Jul 2019 17:19:47 -0400
To: IRTF CFRG <cfrg@irtf.org>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/ERmg_AlQJim6yW5j3rUqFfhQiXg>
Subject: [Cfrg] Raw minutes of today's meeting
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 21:19:55 -0000

CFRG Summary - IETF 105

Meeting started at 15:52

New co-chair (Nick Sullivan). New secretary (Stanislav)

Looking for volunteers for CFRG document review panel.  Need both academic and industry experience.

PAKE selection (summary by Stanislav later)

HPKE (Richard Barnes)
    Dan Harkins: Same key-pair - same key?
    Richard: No, we got fresh enthropy
    Tanja Lange: it depends on how they define ephemeral
    Adam Langley: Consider NOISE. Shows we can do something worthwhile.  Go there.  
    Richard: What does "go there" mean?
    Adam: Don't need to do an all too general framework
    Richard: This is orhtogonal to the NOISE approach
    Riad: What would you remove if it was up to you?
    Richard: The modes in which the center is authenticated with a symetric key.
    Riad: Remove the unauthenticated case?
    Richard: Not sure it would streamline things much. It's already a special case.
    Joe Sallowey: In a WG I'd say we need to take things out. In an RG - less so. But still - less is more.
    Richard: I think we have a consolidated set. Think we should leave things as they are.
    Richard: naming?  CASHEW: Combined Asymmetric/Symmetric Hybrid Encryption Wrapping
    Chris Wood: Likes cashews.
    
MGM (Stanislav):
    Multilinear Galois Mode
    Scott Fluhrer: GCM also has the property that you can begin encrypting before you have the AAD
    Stanislav: Right
    Yoav: why not call for adoption?
    Stanislav: I am not the designer. Maybe in the future.
    Watson Ladd: The cited attacks don't really break GCM.
    Stanislav: MGM has better security bounds than GCM for some attacks.
    Watson: The slides conflict. One says MGM performs better; the other says GCM does.
    Stanislav: Depends on context.
    
Pairing Friendly Curves (Shoko Yonezawa)
    Riad: BLS12-381 is desigend for this purpose. Is it worthwhile to define 192- and 256- levels?  It's already unblievably slow.
    Shoko: We have to consider many curves. Not all for implementers to implement because they are confused as to which curve to implement.
    Riad: Yes, but is that level needed? Don't know that people are using 581.
    Tanja Lange: Optimal TNFS-secure pairings on elliptic curves with composite embedding degree Georgios Fotiadis and Chloe Martindale
    
    Anyone has applications?  3 hands are raised.
    
Streebog and Kuznyechik (Lėo Perrin)
    PHB: Some jiggering going on.
    Yoav: Why does ISO standardization matter?
    Russ Housley: We only know that something smells funny.
    Stanislav: Thanks for doing the analysis. There was public info before standardization. 
               Maybe not as public as it should have been. Agree that any analysis should be done.
               Concerns should be investigated. Papers say there are structures, not showing how it could be exploited.
               If you find attack or hazard, I'll be happy to discuss with you.
               For now we only have structures.
    Léo: Right. No attack. Analyzers should have had all the information.
    Vasily Dolmatov: Structure does not imply vulnerability. We appreciate this. It is important for transparency.
    
Hash to curve update (Riad Wahby)
    (no comment)
    Alexey: 1 more revision?  More?
    Riad: Close to done; need to cover a few more curves. No huge changes.
    
PAKE Contest Update (Stanislav)
    Vasily Dolmatov: Hopefully people from TLS or IKEv2 are here. Otherwise we need to contact them.
    Chairs: TLS people are here.
    Yoav: Also IKE people
    Bjoern Haase: Could you post the place where to find the replies regarding VTBPEKE? I did not find it on the mailing list.
    Stanislav: Yes. They're either on the lNist or the chairs posted to the list. We'll try to publish again in a convenient way.
    
Nick: Still looking for volunteers for the panel. Would like people to review more than one for better comparison.