[Cfrg] PAKE Selection Process: Round 2, Stage 2

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Mon, 09 December 2019 12:43 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C99711200B2; Mon, 9 Dec 2019 04:43:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OsasMILBesRN; Mon, 9 Dec 2019 04:43:46 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A93E1200A3; Mon, 9 Dec 2019 04:43:46 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id m6so15481871ljc.1; Mon, 09 Dec 2019 04:43:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=rBKBWRmB9COCgC9f9itgS49xL1WrnnP0XA/+ERgoX1M=; b=EaMdu4+Csta2ZTBq12383ouoNMnCsifnWRgr6orjoMymJBl2w4UUFjrs6PGgaATtPj f4QD0DXIT0fukszWX1dXqRc74JaXMsAVgVDfHeGfl+8vicyABlMtFmg7Mi0AauUGmdlv 780QfKKrgKwNf6jvNjLVmb+G1j7i0+396XdTuYMH/eFs+VXu1kbSnUpl3QUAji0oVA7g urH2C1GEx6dIUUy2ZTSUHRz/SdhHWmkulIuAxSlDPkXoqjn60BBu7boretuR9sE/om+T 9RVWxETEj1bWjMhlUZguKS6det5Xmt8okIWTa8ZKLPphX8ObPCwoKfd9ITXd4rcPJ5U5 6O/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=rBKBWRmB9COCgC9f9itgS49xL1WrnnP0XA/+ERgoX1M=; b=pEJsIiK9fybbHoUuryi1Q7MEV+OCVL9D8rSb7B+EH125v7HNzbKaI4J+GpN7O9n4kH Pdu3ez2l/aH6X71Kne9pW0i5qj0ENPLVC2yXtpxfb+8KpCCX9h8TJsak6+PYjD2g9DRy g5n9JzwJEWOnUQ6zEWRUZvg0QcMoO25Tc24N+A5cQNedbq7zS170ofWDfGVaahjJy9RR KFOx6dZ5er2RJbR0uV33uh6NfvCfVlJzmUVlN/nbsWfFrx3aaL+YOtjRBWwPyYQTqMZ4 QSv0WjEJL86BdiIJhJUudbqHmRqHNa191zXqhhanrlz2AuhvZs2w1Gck2d4dKzWFY1P/ Yj9w==
X-Gm-Message-State: APjAAAXS48N2A0o4bojZA3LL7eUE9Yo5nUECPhV7ZC9ap7KXujAZx7mn B3KWKHXeoGpM6LnW4wBJA4N/+p8wEimi4NSZAvogvTg2
X-Google-Smtp-Source: APXvYqzCWwdM3rTcDuymDSk8RzXAVu9aRYs6EHJ4lcEkhoucCogMlrRmB1AATbwDfZatCcHgKM2M3Bww8/D6B7RRg4U=
X-Received: by 2002:a2e:859a:: with SMTP id b26mr16724845lji.137.1575895424215; Mon, 09 Dec 2019 04:43:44 -0800 (PST)
MIME-Version: 1.0
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Mon, 9 Dec 2019 15:43:35 +0300
Message-ID: <CAMr0u6=hOG1Jw_3iafiC+0U4F6OX6Dnx78+4zamk7GmdgvvfGw@mail.gmail.com>
To: CFRG <cfrg@irtf.org>, crypto-panel@irtf.org
Content-Type: multipart/alternative; boundary="000000000000f6aea3059944be4a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/j88r8N819bw88xCOyntuw_Ych-I>
Subject: [Cfrg] PAKE Selection Process: Round 2, Stage 2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2019 12:43:49 -0000

Dear CFRG,

According to the plan of Round 2 of the PAKE selection process, additional
questions for all four remaining candidates have been collected from CFRG
participants (and Crypto Review Panel members) via crypto-panel@irtf.org .

We've obtained the following list of questions:
1) (to SPAKE2): Can you propose a modification of SPAKE2 (preserving all
existing good properties of PAKE2) with a correspondingly updated security
proof, addressing the issue of a single discrete log relationship necessary
for the security of all sessions (e.g., solution based on using
M=hash2curve(A|B), N=hash2curve(B|A))?
2) (to CPace and AuCPace): Can you propose a modification of CPace and
AuCPace (preserving all existing good properties of these PAKEs) with a
correspondingly updated security proof (maybe, in some other security
models), addressing the issue of requiring the establishment of a session
identifier (sid) during each call of the protocol for the cost of one
additional message?
3) (to all 4 remaining PAKEs) : Can the nominators/developers of the
protocols please re-evaluate possible IPR conflicts between their
candidates protocols and own and foreign patents? Specifically, can you
discuss the impact of U.S. Patent 7,047,408 (expected expiration 10th of
march 2023) on free use of SPAKE2 and the impact of EP1847062B1 (HMQV,
expected expiration October 2026) on the free use of the RFC-drafts for
OPAQUE?
4) (to all 4 remaining PAKEs) What can be said about the property of
"quantum annoyance" (an attacker with a quantum computer needs to solve
[one or more] DLP per password guess) of the PAKE?
5) (to all 4 remaining PAKEs) What can be said about "post-quantum
preparedness" of the PAKE?

Please let the chairs and the Crypto Review Panel members know (before
December, 17th) if any questions (collected via  crypto-panel@irtf.org)
have been lost or misinterpreted (or something needs to be added).

Best regards,
Stanislav,
CFRG Secretary