Re: [Cfrg] Round 2 of the PAKE selection process

["Stanislav V. Smyshlyaev" <smyshsv@gmail.com>]

Dear Feng,

All materials of the PAKE selection process were published at
https://github.com/cfrg/pake-selection. The questions that were addressed
had been collected from the CFRG at Stage 1 of the selection process (and
all collected questions were included to the list), then answered by the
authors of the protocols - all those materials can be found at the GitHub,
as well as the reviews by the independent reviewers who evaluated them (see
https://github.com/cfrg/pake-selection#summary-of-reviews). The Crypto
Review Panel experts then provided their overall reviews, taking into
account all collected materials and reviews from independent experts.

Their recommendations, published at
https://github.com/cfrg/pake-selection#overall-reviews-by-crypto-review-panel,
have become the resulting summary (prepared by four experts of the Crypto
Review Panel independently). The PAKEs, selection of which were recommended
at least by some of the four experts, have passed to Round 2. Additional
questions about these four candidates (e.g., my clarifying question about
possible ways of selection of M and N) are collected now until December,
5th.

Regards,
Stanislav


чт, 21 нояб. 2019 г. в 15:36, Hao, Feng <Feng.Hao@warwick.ac.uk>:

> Dear Stanislav,
>
> If these questions are relevant, has the panel already considered them? If
> not, they probably will not bother for the next round either. If they have,
> it's reasonable for the panel to publish a summary of reasons to explain
> the decision in the interest of complete openness and transparency. That
> will be useful for the people on this list to better understand how the
> decision has been made, and how it will be made in round 2.
>
> Cheers,
>
> Feng
>
>
>
> *From: *"Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
> *Date: *Thursday, 21 November 2019 at 06:35
> *To: *"Hao, Feng" <Feng.Hao@warwick.ac.uk>, "cfrg-chairs@ietf.org" <
> cfrg-chairs@ietf.org>
> *Cc: *CFRG <cfrg@irtf.org>
> *Subject: *Re: [Cfrg] Round 2 of the PAKE selection process
>
>
>
> Dear Feng,
>
>
>
> >>   I appreciate all the efforts put in by the panel. I respect how this
> process is currently run and the result, so I don’t intend to change
> anything. But I hope these questions are still relevant and helpful for the
> round 2.
>
> Thank you, Feng!
>
>
>
> I fully agree that all these questions are still relevant for the Round 2
> (especially the ones that are addressed in the four Crypto Review Panel
> overall reviews less deeply than the others). Could you please formulate
> the questions that need to be considered (or maybe re-considered, taking
> into account new aspects) on Round 2?..
>
> If possible, in the form of a list of clear and reasonably short questions
> - to be added to the overall list of the questions considered on Round 2
> (according to the announcement, could you please send them to
> crypto-panel@irtf.org, please?)
>
>
>
> This will be a very important and helpful input of yours - among other
> things, because the issues you mention should also be addressed in the
> future RFC on recommendations for usage of PAKEs in the IETF protocols
> (provided that it will be the next step of the CFRG after the PAKE
> selection process is over).
>
>
>
> Kind regards,
>
> Stanislav
>
>
>
>
>
> чт, 21 нояб. 2019 г. в 01:48, Hao, Feng <Feng.Hao@warwick.ac.uk>:
>
> Dear Stanislav,
>
>
>
> In the previous discussions on the CFRG list, several questions about the
> panel reviews (linked below in your email) were raised. They include: the
> cost of the map-to-field operation has been almost entirely neglected for
> the finite field setting, which has caused a significant bias in the
> efficiency comparison; as for the elliptic curve setting, the details on
> hash-to-curve are yet to be finalized, so the cost remains unconfirmed, but
> it has been largely neglected in the efficiency analysis;  it remains
> unclear if the hash-to-curve will guarantee to be a constant-time operation
> for all the curves that it is meant to support or whether this
> constant-time requirement is relevant in the specific context of a protocol
> (this is related to the question that a candidate protocol must be fully
> specified so to allow meaningful analysis and a fair comparison with
> others); given that there is no (yet) general solution to do hash-to-curve,
> there is a question whether things might break in the future for new curves
> or whether that is an irrelevant concern; there is also a question whether
> the assumption of a trusted setup is considered acceptable and if yes, the
> worse-case scenario should be analysed to properly justify that choice.
>
>
>
> I think these are relevant and important issues to consider. I had hoped
> that the panel would consider these questions (along with other questions
> raised in the list) and respond with a summary of justifications for their
> decision before going forward to round 2. That will give a proper closure
> of round 1. In any case, I appreciate all the efforts put in by the panel.
> I respect how this process is currently run and the result, so I don’t
> intend to change anything. But I hope these questions are still relevant
> and helpful for the round 2.
>
>
>
> Cheers,
>
> Feng
>
>
>
> *From: *Cfrg <cfrg-bounces@irtf.org> on behalf of "Stanislav V.
> Smyshlyaev" <smyshsv@gmail.com>
> *Date: *Wednesday, 20 November 2019 at 16:22
> *To: *"cfrg@irtf.org" <cfrg@irtf.org>
> *Subject: *Re: [Cfrg] Round 2 of the PAKE selection process
>
>
>
> To eliminate any possible misunderstanding: "the Crypto Review Panel
> member reviews" in my previous message = the four overall reviews provided
> by the Crypto Review Panel experts:
> https://github.com/cfrg/pake-selection#overall-reviews-by-crypto-review-panel
>
>
>
> Regards,
>
> Stanislav
>
>
>
>
>
> ср, 20 нояб. 2019 г. в 13:43, Stanislav V. Smyshlyaev <smyshsv@gmail.com>:
>
> Dear Feng,
>
>
>
> The decision was made based on the Crypto Review Panel member reviews
> (which in turn were based on partial reviews by independent experts), which
> are available at
>
> https://github.com/cfrg/pake-selection (see “Overall reviews by Crypto
> Review Panel”).
>
>
>
> Best regards,
>
> Stanislav
>
>
>
> ср, 20 нояб.. 2019 г. в 18:29, Hao, Feng <Feng.Hao@warwick.ac.uk>:
>
> Dear Stanislav (and the review panel),
>
>
>
> Many thanks for the update.
>
>
>
> For the benefits of openness and transparency, can you give reasons why
> these four were selected and the rest were removed? I couldn’t find those
> on your slides.
>
>
>
> I’m sure that’ll be helpful for people on the CRFG to understand better
> this selection process.
>
>
>
> Cheers,
>
> Feng
>
>
>
> *From: *Cfrg <cfrg-bounces@irtf.org> on behalf of "Stanislav V.
> Smyshlyaev" <smyshsv@gmail.com>
> *Date: *Wednesday, 20 November 2019 at 06:02
> *To: *"cfrg@irtf.org" <cfrg@irtf.org>
> *Cc: *"cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>
> *Subject: *[Cfrg] Round 2 of the PAKE selection process
>
>
>
> Dear CFRG,
>
>
>
> As we've announced at the CFRG session today, now we're starting the Round
> 2 of the PAKE selection process.
>
>
>
> We have narrowed down choices to: two balanced (SPAKE2 and CPace) and two
> augmented (OPAQUE and AuCPace).
>
>
>
> Some additional information can be found in my slides from the IETF 106
> CFRG meeting:
>
>
> https://datatracker.ietf.org/meeting/106/materials/slides-106-cfrg-pake-selection-update
>
>
>
>
> Please take a look at the plan and especially at Stage 1 - please send
> your additional questions to be considered at Round 2 to
> crypto-panel@irtf.org until December, 5th.
>
>
>
> Round 2 of the PAKE selection process
>
> Stage 1: November, 21st - December, 5th
>
> Additional questions for all four candidates are collected from CFRG
> participants  (and Crypto Review Panel members). The questions can be of
> one of possible types:
>
> a) Requests for clarifications for the candidate protocols or their
> proposed modifications (e.g., security of CPace and AuCPace without
> negotiation of sid, security and convenient of SPAKE2 with a hash2curve
> function used to obtain M and N for each pair of identifiers).
>
> b) Questions to be taken into account in addition to ones collected at
> Stage 1 of Round 1 (e.g., quantum annoyance, post-quantum preparedness).
>
> The questions should be sent to crypto-panel@irtf.org.
>
>
>
> Stage 2: December, 10th - December, 17th
>
> A list of new questions is published on
> https://github.com/cfrg/pake-selection; the CFRG is asked whether
> anything else should be added.
>
>
>
> Stage 3: December 25th - February, 10th
>
> The authors of the candidates prepare their replies to the additional
> questions/requested clarifications.
>
>
>
> Stage 4: February, 12th - March, 10th
>
> Crypto Review Panel members prepare new overall reviews (for all 4
> remaining PAKEs) taking into account both the reviews obtained on Round 1
> and new information obtained during Round 2.
>
>
>
> IETF 107:
>
> The CFRG chairs discuss the obtained reviews and make their
> recommendations to CFRG (or convey to CFRG that they can’t make a
> recommendation yet).
>
> If everything is clear:
> - one (or zero) balanced PAKE is selected;
>
> - one (or zero) augmented PAKE is selected;
>
> - the process with CFRG document “Recommendations for password-based
> authenticated key establishment in IETF protocols” is initiated: all
> practically important recommendations (parameter selection, protecting
> implementations against side-channel attacks, handling of counters etc.)
> must be given there.
>
>
>
> Best regards,
>
> Stanislav Smyshlyaev
>
> CFRG Secretary
>
> --
>
> С уважением,
>
> Станислав Смышляев, к.ф.-м.н.,
>
> Заместитель генерального директора
>
> ООО «КРИПТО-ПРО»
>
>
>
>