Re: [Cfrg] PAKE Selection Process: Round 2, Stage 2

"Stanislav V. Smyshlyaev" <smyshsv@gmail.com> Mon, 09 December 2019 15:45 UTC

Return-Path: <smyshsv@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 688CB120866; Mon, 9 Dec 2019 07:45:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ueA-NPIoA-a7; Mon, 9 Dec 2019 07:45:34 -0800 (PST)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7F45120828; Mon, 9 Dec 2019 07:45:33 -0800 (PST)
Received: by mail-lj1-x236.google.com with SMTP id d20so16133262ljc.12; Mon, 09 Dec 2019 07:45:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hHH9ivuuaopxSe/q/0VqYBC+yrvvh/tjpckSULUIAA4=; b=ZgEkPs79cxmI24BVcM9zV+Jnh6Rf/E9lvfh40ZnDUA9sTQxrFbw3ZCtzRklOLnWRUq knYzT+ueFPUYv8j5ccrN80TYBXcnW0SyjVJYVti4/oUXDIiaMSxQapcICf9rBvQaFiib bZL/kczXg+bsx1IcDb7jl65JTxEbbR5TF9/fHjSNheDp8jdsOFazHDvuZlf19AjOSyIe oWhGIs3Q7LFLALCYZpUHZysuprvMHR4Mj4rKKJsS7YTfU51EasTN0H7BVEi5K9Sj2s5X Ye4ZkifqJ+gJvx0zljesxvYCKy73PNQZXXRV7i4nNW3eYkASQ7xY13uJeDgm1xpyleem fHyg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hHH9ivuuaopxSe/q/0VqYBC+yrvvh/tjpckSULUIAA4=; b=YH5RrA/Fg9EynHqrUGSVM0dsRDFMyjVuHFTUaOIXVJyENqRzKjlshHJlqNA8GQ1dJj S1G/QuM+2crdsLu3bRqylODnIrSMqZjT3hQHw5T6p2+GisbGZtJ28CPQf2oiGT59wBZ5 nAuA+EEqaDn86QTIsOVkXdVxvjv48LEkRaXJO6qOjiR4jxYtVlHUUlSPnPq2TeyOvS18 hzONutXR6hOjpPGS9sl9X/2fOHSdkJrQ7srVlJFaX458h8FMnj9Ng54l4ZOvhW89gjVt KvF+HHVD7fXHF5Xke87AtXAtEkufwkIrRCYVA/l5FIPXQ4xWYppl0gskw0xQHWb0wA2m iTAA==
X-Gm-Message-State: APjAAAUuE9/Ji3C6Ma9IXOLarAxkruuV6LssHwSo+SNsGe8wu7TaQ4jw 2sgpkMnRcvrFdvVjD3mWOwUw1T6hAZnwKnlMP60=
X-Google-Smtp-Source: APXvYqy9yt2EQbn0f1bipoNQfZPNok1qGJU8SMWovh0iTDGDeboiycZSbthl/tsrrQIxmso1/PmxayESmlRfEeRELRk=
X-Received: by 2002:a05:651c:152:: with SMTP id c18mr17116538ljd.146.1575906331930; Mon, 09 Dec 2019 07:45:31 -0800 (PST)
MIME-Version: 1.0
References: <CAMr0u6=hOG1Jw_3iafiC+0U4F6OX6Dnx78+4zamk7GmdgvvfGw@mail.gmail.com> <CACsn0c=t34XD5c4QXGJGoq2uZ8GjBrWDkG9yOb3nD=g_1ZxwYw@mail.gmail.com>
In-Reply-To: <CACsn0c=t34XD5c4QXGJGoq2uZ8GjBrWDkG9yOb3nD=g_1ZxwYw@mail.gmail.com>
From: "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>
Date: Mon, 9 Dec 2019 18:45:23 +0300
Message-ID: <CAMr0u6njJ_uYn5ZewJi=h4DKMqO6TxHVGSt8kfteQSdZHzfoJQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: CFRG <cfrg@irtf.org>, crypto-panel@irtf.org
Content-Type: multipart/alternative; boundary="0000000000001d324e05994749e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/t8dOeScl_Mv86X454K_L5kJxoQM>
Subject: Re: [Cfrg] PAKE Selection Process: Round 2, Stage 2
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2019 15:45:36 -0000

Dear Watson,

Thanks, but we're still collecting the questions, the authors (including
you for SPAKE2) will have time at Stage 3 (December 25th - February, 10th)
to prepare the replies (Stage 3: "The authors of the candidates prepare
their replies to the additional questions/requested clarifications.").



пн, 9 дек. 2019 г. в 18:41, Watson Ladd <watsonbladd@gmail.com>om>:

>
>
> On Mon, Dec 9, 2019 at 4:44 AM Stanislav V. Smyshlyaev <smyshsv@gmail.com>
> wrote:
>
>> Dear CFRG,
>>
>> According to the plan of Round 2 of the PAKE selection process,
>> additional questions for all four remaining candidates have been collected
>> from CFRG participants (and Crypto Review Panel members) via
>> crypto-panel@irtf.org .
>>
>> We've obtained the following list of questions:
>> 1) (to SPAKE2): Can you propose a modification of SPAKE2 (preserving all
>> existing good properties of PAKE2) with a correspondingly updated security
>> proof, addressing the issue of a single discrete log relationship necessary
>> for the security of all sessions (e.g., solution based on using
>> M=hash2curve(A|B), N=hash2curve(B|A))?
>>
>
> Yes: See https://github.com/kaduk/spake2/pull/10 and for the security
> proof,  https://eprint.iacr.org/2019/1194. I'll submit it shortly, but
> this should indicate where we are going.
>
> 2) (to CPace and AuCPace): Can you propose a modification of CPace and
>> AuCPace (preserving all existing good properties of these PAKEs) with a
>> correspondingly updated security proof (maybe, in some other security
>> models), addressing the issue of requiring the establishment of a session
>> identifier (sid) during each call of the protocol for the cost of one
>> additional message?
>> 3) (to all 4 remaining PAKEs) : Can the nominators/developers of the
>> protocols please re-evaluate possible IPR conflicts between their
>> candidates protocols and own and foreign patents? Specifically, can you
>> discuss the impact of U.S. Patent 7,047,408 (expected expiration 10th of
>> march 2023) on free use of SPAKE2 and the impact of EP1847062B1 (HMQV,
>> expected expiration October 2026) on the free use of the RFC-drafts for
>> OPAQUE?
>>
>
> I'm not a patent lawyer, or any kind of lawyer. This sounds like a
> question for a patent lawyer, rather then uninformed speculation on the
> list.
>
> 4) (to all 4 remaining PAKEs) What can be said about the property of
>> "quantum annoyance" (an attacker with a quantum computer needs to solve
>> [one or more] DLP per password guess) of the PAKE?
>>
>
> I'll have to look at the papers some more. Will answer in a few days.
>
> 5) (to all 4 remaining PAKEs) What can be said about "post-quantum
>> preparedness" of the PAKE?
>>
>
> There isn't a great answer here for SPAKE2 AKAIK. Postquantum primitives
> don't smoothly translate point addition or group laws.
>
>
>> Please let the chairs and the Crypto Review Panel members know (before
>> December, 17th) if any questions (collected via  crypto-panel@irtf.org)
>> have been lost or misinterpreted (or something needs to be added).
>>
>> Best regards,
>> Stanislav,
>> CFRG Secretary
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/cfrg
>>
>