Re: [Cfrg] Round 2 of the PAKE selection process

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Thu, 21 November 2019 13:14 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB6F11208AB for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 05:14:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CI6OZ1qGknMm for <cfrg@ietfa.amsl.com>; Thu, 21 Nov 2019 05:14:50 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D91ED12083C for <cfrg@irtf.org>; Thu, 21 Nov 2019 05:14:49 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id q2so3171333ljg.7 for <cfrg@irtf.org>; Thu, 21 Nov 2019 05:14:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=biOx0jABYMnbncTs4LSWqmFkF+JTSmDSW+2BoomJQJ0=; b=RD11aqk0OeV7t3Ya9AgiTfvQPzZt8n31GCOH+GLFiy+lYO8PkHTI/C+MJyTKDRKPaV 17RmcZyhQdIcNXTMr5CMPiqMoMtPxeooOISI6hkKtPqa3qlGdYhX853F8t52oV1BrCYY qb066WMN3+ZNIt0b+rXbTCa0HRjLWioYvl0NnxQAlCLfftlKZeXvciJKYAjvKDiUN9mI uKXYjV+OM+fGvRGU52umwnqjIeNAxVqeE3ZHZgPzdYRyNyuFtCUZ3EvgnzOdOTZgTHNA ctMg8EdoZlofnlV6WkEmrYMxCA1uujTMOxtjmjUqGFkE7CImotbNvaOk27T32aTFLG3u CxpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=biOx0jABYMnbncTs4LSWqmFkF+JTSmDSW+2BoomJQJ0=; b=lbII0vg0udjD/PzUyJVlh3/tVC+bjIHVoO6N/2hALhzgCqKDizc5rMAq/SZEUOejLX F6qBEHe0QgvIwk7zRKRnaJiK7lhK4PfoncP+ns+GUSfoZd1RsN70tcSK12YucZ23hJQf g6EvwFgTZuZGIsYtJm19OuBUZ47M6ZKMXi3rDwqzvkiKpMAt6eeOEtb7LMLKKa2vBMwh isQq7yjw+RZPgHBmzYV7eW22nWecDlXy1hQ6pGQTafKcy7Bo4QZL4Rl9GaVqRTNWcdTc wPHjIvtR1Oz7qMtuAaNwjTGVOFfqaTq1uC5C+sF8aJqirrGPzbDzG+yqhoi5q1SZvaK/ TvLg==
X-Gm-Message-State: APjAAAV/JdDNqii/dLs2uQpwQdoOJ0KPejP3eaAUYwLRwPxAy2HQwC4/ BTmP/FDThX6zc1UfFo7ASNTAhDFINEbnaf4Zx0w=
X-Google-Smtp-Source: APXvYqwWJGF83MHwUXTvkyyK9C3uUpiHkzPJBL/+TC78Hb9x8LK8YFqtcAv7dKyVbuKeYOa5XCy94+5shth7O4GZiuY=
X-Received: by 2002:a2e:9a55:: with SMTP id k21mr6764393ljj.85.1574342087792; Thu, 21 Nov 2019 05:14:47 -0800 (PST)
MIME-Version: 1.0
References: <CAMr0u6nPQxO5X1Txoeh5X7jN=eHscRCBH0HJW=3tbqUdjn8N4Q@mail.gmail.com> <BA639DCD-B3B9-40BD-AF6D-1A4CE9425A03@live.warwick.ac.uk> <CAMr0u6mDx_NnvJq_LpRZSBkWe707mn=HBrELeXsjYXvTTMtzRw@mail.gmail.com> <CAMr0u6n2Hp-h_hey=Z7ucjSWCV+0pYovtYbW0SX0f9Hw4Rqn4A@mail.gmail.com> <8DDC5DF8-B89C-461C-AA33-9C7F616A3540@live.warwick.ac.uk> <CAMr0u6k97t8BVPEeJ2ZW4DZheb2s7PeKkdoXQLmYcTEvntN7ow@mail.gmail.com> <CAB4EDC7-A341-4340-926D-AA8EA829A81E@live.warwick.ac.uk>
In-Reply-To: <CAB4EDC7-A341-4340-926D-AA8EA829A81E@live.warwick.ac.uk>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Thu, 21 Nov 2019 16:14:38 +0300
Message-ID: <CAMr0u6=Ue_PrHxyzNpqdFSAEmezQbE1GCC-ci9fQ5AoRrKWQ9Q@mail.gmail.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
Cc: "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>, CFRG <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="000000000000e5dee60597db1440"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/VX1rUZlHE--CD4UyW00xloMyuoQ>
Subject: Re: [Cfrg] Round 2 of the PAKE selection process
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 13:14:57 -0000

Dear Feng,

All materials of the PAKE selection process were published at
https://github.com/cfrg/pake-selection. The questions that were addressed
had been collected from the CFRG at Stage 1 of the selection process (and
all collected questions were included to the list), then answered by the
authors of the protocols - all those materials can be found at the GitHub,
as well as the reviews by the independent reviewers who evaluated them (see
https://github.com/cfrg/pake-selection#summary-of-reviews). The Crypto
Review Panel experts then provided their overall reviews, taking into
account all collected materials and reviews from independent experts.

Their recommendations, published at
https://github.com/cfrg/pake-selection#overall-reviews-by-crypto-review-panel,
have become the resulting summary (prepared by four experts of the Crypto
Review Panel independently). The PAKEs, selection of which were recommended
at least by some of the four experts, have passed to Round 2. Additional
questions about these four candidates (e.g., my clarifying question about
possible ways of selection of M and N) are collected now until December,
5th.

Regards,
Stanislav


чт, 21 нояб. 2019 г. в 15:36, Hao, Feng <Feng.Hao@warwick.ac.uk>;:

> Dear Stanislav,
>
> If these questions are relevant, has the panel already considered them? If
> not, they probably will not bother for the next round either. If they have,
> it's reasonable for the panel to publish a summary of reasons to explain
> the decision in the interest of complete openness and transparency. That
> will be useful for the people on this list to better understand how the
> decision has been made, and how it will be made in round 2.
>
> Cheers,
>
> Feng
>
>
>
> *From: *"Stanislav V. Smyshlyaev" <smyshsv@gmail.com>;
> *Date: *Thursday, 21 November 2019 at 06:35
> *To: *"Hao, Feng" <Feng.Hao@warwick.ac.uk>;, "cfrg-chairs@ietf.org"; <
> cfrg-chairs@ietf.org>;
> *Cc: *CFRG <cfrg@irtf.org>;
> *Subject: *Re: [Cfrg] Round 2 of the PAKE selection process
>
>
>
> Dear Feng,
>
>
>
> >>   I appreciate all the efforts put in by the panel. I respect how this
> process is currently run and the result, so I don’t intend to change
> anything. But I hope these questions are still relevant and helpful for the
> round 2.
>
> Thank you, Feng!
>
>
>
> I fully agree that all these questions are still relevant for the Round 2
> (especially the ones that are addressed in the four Crypto Review Panel
> overall reviews less deeply than the others). Could you please formulate
> the questions that need to be considered (or maybe re-considered, taking
> into account new aspects) on Round 2?..
>
> If possible, in the form of a list of clear and reasonably short questions
> - to be added to the overall list of the questions considered on Round 2
> (according to the announcement, could you please send them to
> crypto-panel@irtf.org, please?)
>
>
>
> This will be a very important and helpful input of yours - among other
> things, because the issues you mention should also be addressed in the
> future RFC on recommendations for usage of PAKEs in the IETF protocols
> (provided that it will be the next step of the CFRG after the PAKE
> selection process is over).
>
>
>
> Kind regards,
>
> Stanislav
>
>
>
>
>
> чт, 21 нояб. 2019 г. в 01:48, Hao, Feng <Feng.Hao@warwick.ac.uk>;:
>
> Dear Stanislav,
>
>
>
> In the previous discussions on the CFRG list, several questions about the
> panel reviews (linked below in your email) were raised. They include: the
> cost of the map-to-field operation has been almost entirely neglected for
> the finite field setting, which has caused a significant bias in the
> efficiency comparison; as for the elliptic curve setting, the details on
> hash-to-curve are yet to be finalized, so the cost remains unconfirmed, but
> it has been largely neglected in the efficiency analysis;  it remains
> unclear if the hash-to-curve will guarantee to be a constant-time operation
> for all the curves that it is meant to support or whether this
> constant-time requirement is relevant in the specific context of a protocol
> (this is related to the question that a candidate protocol must be fully
> specified so to allow meaningful analysis and a fair comparison with
> others); given that there is no (yet) general solution to do hash-to-curve,
> there is a question whether things might break in the future for new curves
> or whether that is an irrelevant concern; there is also a question whether
> the assumption of a trusted setup is considered acceptable and if yes, the
> worse-case scenario should be analysed to properly justify that choice.
>
>
>
> I think these are relevant and important issues to consider. I had hoped
> that the panel would consider these questions (along with other questions
> raised in the list) and respond with a summary of justifications for their
> decision before going forward to round 2. That will give a proper closure
> of round 1. In any case, I appreciate all the efforts put in by the panel.
> I respect how this process is currently run and the result, so I don’t
> intend to change anything. But I hope these questions are still relevant
> and helpful for the round 2.
>
>
>
> Cheers,
>
> Feng
>
>
>
> *From: *Cfrg <cfrg-bounces@irtf.org>; on behalf of "Stanislav V.
> Smyshlyaev" <smyshsv@gmail.com>;
> *Date: *Wednesday, 20 November 2019 at 16:22
> *To: *"cfrg@irtf.org"; <cfrg@irtf.org>;
> *Subject: *Re: [Cfrg] Round 2 of the PAKE selection process
>
>
>
> To eliminate any possible misunderstanding: "the Crypto Review Panel
> member reviews" in my previous message = the four overall reviews provided
> by the Crypto Review Panel experts:
> https://github.com/cfrg/pake-selection#overall-reviews-by-crypto-review-panel
>
>
>
> Regards,
>
> Stanislav
>
>
>
>
>
> ср, 20 нояб. 2019 г. в 13:43, Stanislav V. Smyshlyaev <smyshsv@gmail.com>;:
>
> Dear Feng,
>
>
>
> The decision was made based on the Crypto Review Panel member reviews
> (which in turn were based on partial reviews by independent experts), which
> are available at
>
> https://github.com/cfrg/pake-selection (see “Overall reviews by Crypto
> Review Panel”).
>
>
>
> Best regards,
>
> Stanislav
>
>
>
> ср, 20 нояб.. 2019 г. в 18:29, Hao, Feng <Feng.Hao@warwick.ac.uk>;:
>
> Dear Stanislav (and the review panel),
>
>
>
> Many thanks for the update.
>
>
>
> For the benefits of openness and transparency, can you give reasons why
> these four were selected and the rest were removed? I couldn’t find those
> on your slides.
>
>
>
> I’m sure that’ll be helpful for people on the CRFG to understand better
> this selection process.
>
>
>
> Cheers,
>
> Feng
>
>
>
> *From: *Cfrg <cfrg-bounces@irtf.org>; on behalf of "Stanislav V.
> Smyshlyaev" <smyshsv@gmail.com>;
> *Date: *Wednesday, 20 November 2019 at 06:02
> *To: *"cfrg@irtf.org"; <cfrg@irtf.org>;
> *Cc: *"cfrg-chairs@ietf.org"; <cfrg-chairs@ietf.org>;
> *Subject: *[Cfrg] Round 2 of the PAKE selection process
>
>
>
> Dear CFRG,
>
>
>
> As we've announced at the CFRG session today, now we're starting the Round
> 2 of the PAKE selection process.
>
>
>
> We have narrowed down choices to: two balanced (SPAKE2 and CPace) and two
> augmented (OPAQUE and AuCPace).
>
>
>
> Some additional information can be found in my slides from the IETF 106
> CFRG meeting:
>
>
> https://datatracker.ietf.org/meeting/106/materials/slides-106-cfrg-pake-selection-update
>
>
>
>
> Please take a look at the plan and especially at Stage 1 - please send
> your additional questions to be considered at Round 2 to
> crypto-panel@irtf.org until December, 5th.
>
>
>
> Round 2 of the PAKE selection process
>
> Stage 1: November, 21st - December, 5th
>
> Additional questions for all four candidates are collected from CFRG
> participants  (and Crypto Review Panel members). The questions can be of
> one of possible types:
>
> a) Requests for clarifications for the candidate protocols or their
> proposed modifications (e.g., security of CPace and AuCPace without
> negotiation of sid, security and convenient of SPAKE2 with a hash2curve
> function used to obtain M and N for each pair of identifiers).
>
> b) Questions to be taken into account in addition to ones collected at
> Stage 1 of Round 1 (e.g., quantum annoyance, post-quantum preparedness).
>
> The questions should be sent to crypto-panel@irtf.org.
>
>
>
> Stage 2: December, 10th - December, 17th
>
> A list of new questions is published on
> https://github.com/cfrg/pake-selection; the CFRG is asked whether
> anything else should be added.
>
>
>
> Stage 3: December 25th - February, 10th
>
> The authors of the candidates prepare their replies to the additional
> questions/requested clarifications.
>
>
>
> Stage 4: February, 12th - March, 10th
>
> Crypto Review Panel members prepare new overall reviews (for all 4
> remaining PAKEs) taking into account both the reviews obtained on Round 1
> and new information obtained during Round 2.
>
>
>
> IETF 107:
>
> The CFRG chairs discuss the obtained reviews and make their
> recommendations to CFRG (or convey to CFRG that they can’t make a
> recommendation yet).
>
> If everything is clear:
> - one (or zero) balanced PAKE is selected;
>
> - one (or zero) augmented PAKE is selected;
>
> - the process with CFRG document “Recommendations for password-based
> authenticated key establishment in IETF protocols” is initiated: all
> practically important recommendations (parameter selection, protecting
> implementations against side-channel attacks, handling of counters etc.)
> must be given there.
>
>
>
> Best regards,
>
> Stanislav Smyshlyaev
>
> CFRG Secretary
>
> --
>
> С уважением,
>
> Станислав Смышляев, к.ф.-м.н.,
>
> Заместитель генерального директора
>
> ООО «КРИПТО-ПРО»
>
>
>
>