Re: [Cfrg] Further actions on PAKEs: one/two documents; call for editors // Further steps regarding CPace, avoiding that incompatible versions get rolled out

"\"Björn Haase\"" <> Sat, 16 May 2020 14:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D50543A040D; Sat, 16 May 2020 07:18:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 1.111
X-Spam-Level: *
X-Spam-Status: No, score=1.111 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MISSING_HEADERS=1.207, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qer8LfEers2A; Sat, 16 May 2020 07:18:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BE9C53A0484; Sat, 16 May 2020 07:17:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=dbaedf251592; t=1589638660; bh=TKHZxOGSsjVpeVtUu1VJ8tWKV6pVlWobVDIZcrnWH2g=; h=X-UI-Sender-Class:From:Cc:Subject:Date:In-Reply-To:References; b=d0n+zpY+Sx3yAEMohD7ErH2VZSiavlDKxgacojd93EmHYzPyT0RKtWUOZEU1c8FWu wPySpUgRl+2FEAN3NhEB1N4MAuNseqmysqn0zVq/gYESOW7IFBD7sFUch+GbqrdDk1 R9gjmhTRtliF9DxgCoNeHcrdbuDGVjMMFDXNaq2g=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [] ([]) by (3c-app-webde-bap29.server.lan []) (via HTTP); Sat, 16 May 2020 16:17:40 +0200
MIME-Version: 1.0
Message-ID: <trinity-c4861e01-bce4-4c04-8c92-73e30c864e10-1589638660362@3c-app-webde-bap29>
From: "\"Björn Haase\"" <>
Cc: "Stanislav V. Smyshlyaev" <>, CFRG <>,
Content-Type: text/html; charset="UTF-8"
Date: Sat, 16 May 2020 16:17:40 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <>
References: <> <>
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:CUcelMHGOzZcCToBAGBV/gW4ofiyydDld3XbAy+ge29ni4rvziCSBimNEV/jK/ajZVOU2 ecCCk2Ohkv++SiTcBAvUtL2fx4DsuiINPWG05m8GYpgeC5bRuk7fBdMNRAWvzcAVpKqnapF/eUhX ZYJzmMphtVJn5TRL3XPIePmWQd++6QVb4rVNxFjwzvikw3RlODdYAIOhcHADd4stctkwtqF6TGcY E8oaSgVI8iauxPKkDnEgMoZJXmaWdpDDMit5NfLvND5/YoAodEn5HgUMM75GwGY09psqCKIX/QHn gA=
X-UI-Out-Filterresults: notjunk:1;V03:K0:FfoRDPPyihg=:b50Mo9wZV8qQ28Z8oMObxn 79sevFjQr6FZI3DFMiQ/L3QosMlmRoOY7ZwUaIDb0NFY3o+Z8iPmiynw8JMBA5ewiaWakTShS kqo/hpSKO4d7W5q4vijMGee77BSEzEHrJt8rf+BisM8elYUo0sYt5SN4QSmRhQIlNopZdvbfW CXC3cuvJrt9WHu1IdicofdYogd2Zn+mWAd6A46Zc6noaBIPGbC3wXJ9Jb1CLuihxZLt6BLD3+ aaADdvpM/NcyK4DWwgXnEqtU8Cw222H9cpOZTuHyOp1N8NCKtkFj8Wsqx7yZyDtysvCnIWx43 m0rXJ89LomzmYo8Gp/JdRkO29EyZbM7YvO5h02etGaPNRrabIPC84O017afqKc4Yp7Lu9FZvP hPgBv65RJm/HW9qEMwvY2O06hH9mL+hETXWFovUy1xm9hnRGO+RAqTIg47l8Ve7lylkeIwkBu vCjF/SKprsuCq8NBST+WBabCcWenSfvqVaG5+SV0eW+c9zvm1yYdJfbKqivxwZzMv4nu1UbMe cewxzB/glGvXCBqrbdVti7ObK5EYOBzaPtGs9uO0f+PPWq0CoUEHv7Ki5c23PA8SnHQ1R9SaT TZNAdzOx7cRvnbv4qD/xz4RplzdSNdaDrqfqWRogJB83U15S8FN36Fad0SDZhpfgcKgyGXyPl JVwpZnXkaIAlGAeGstZh13Pq/iLQeC88cv+tkiHU+4yb6TwsHxetw9z94DhmS98ljYfw=
Archived-At: <>
Subject: Re: [Cfrg] Further actions on PAKEs: one/two documents; call for editors // Further steps regarding CPace, avoiding that incompatible versions get rolled out
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 May 2020 14:18:05 -0000

Hello to all,
regarding the CPace I-D I have meanwhile received feedback from several people which have independently implemented CPace, partly in incompatible ways (e.g. using different domain-separation identifiers).
Specifically, Steve Thomas, Frank Denis and Filippo Valsorda seem to have implemented the protocol using X25519 and Ristretto255 for C, Go, Rust (and maybe Javascript?).
I would like to avoid that several incompatible implementations get out in the wild for the same group. For this reason, I would like to update the current I-D soon. Specifically there seems to be a larger interrest of having a specification for Ristretto255.
For this purpose, I have collected all feedback that I have received so far at
I'd appreciate feedback from CFRG regarding how to consider different curves. My original plan was to just refer to the recently updated H2C draft for the mapping operation for any curve and use the generic specification that has recently be updated regarding the hash-to-base operation.
However, when seeing that ristretto does not seem to be considered in the H2C draft and considering that ristretto255 itself seems to specify a H2C operation, one might have to deviate from the "use the generic H2C specification" plan.?
I'd appreciate your feedback here also regarding the general assessment of ristretto255 by the CFRG group. Is this something which should be considered in the balanced PAKE document to be provided by CFRG or rather not? Should ristretto255 be left out for an official CFRG document or not?
Also I'd appreciate feedback regarding whether the current CPace-01 draft could serve as a basis for a CFRG balanced PAKE document or whether one would be rather start re-writing from scratch?  From Frank Denis, I have received the feedback "The I-D is excellent, and contains everything an implementer would need.", however Yaron did have some objections regarding the general structure, IIRC.