[Crypto-panel] Round 2 Stage 4 of PAKE selection process
Russ Housley <housley@vigilsec.com> Thu, 27 February 2020 17:56 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 741183A0E38 for <crypto-panel@ietfa.amsl.com>; Thu, 27 Feb 2020 09:56:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Ja8FIdcX95A for <crypto-panel@ietfa.amsl.com>; Thu, 27 Feb 2020 09:56:12 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02B9D3A0E3D for <crypto-panel@irtf.org>; Thu, 27 Feb 2020 09:56:12 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 941FA300B43 for <crypto-panel@irtf.org>; Thu, 27 Feb 2020 12:56:09 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id mHYWBJNuvKAf for <crypto-panel@irtf.org>; Thu, 27 Feb 2020 12:56:08 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-108-51-198-163.washdc.fios.verizon.net [108.51.198.163]) by mail.smeinc.net (Postfix) with ESMTPSA id EAD06300A02; Thu, 27 Feb 2020 12:56:07 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-Id: <D504FF0D-BF7A-4556-A5C5-34F66DC1184E@vigilsec.com>
Date: Thu, 27 Feb 2020 12:56:09 -0500
Cc: crypto-panel@irtf.org
To: cfrg-chairs@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/r3ktVcmPA-POVMNjVBmY84lTOHA>
Subject: [Crypto-panel] Round 2 Stage 4 of PAKE selection process
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2020 17:56:16 -0000
CFRG is looking for a PAKE to support TLS 1.3 and IKEv2. I provided an earlier review as part of Round 1, and I am providing this review as part of Round 2 (Stage 4). The candidate algorithms fro Round 2 have been reduced to four choices, two Balanced PAKE algorithms and two Augmented PAKE algorithms. Augmented PAKE (OPAQUE vs AuCPace) RECOMMENDATION: OPAQUE OPAQUE uses fewer messages than AuCPace. The recent update to AuCPace (called AuPace without explicit key confirmation) reduces the round trips from the version that reviewed the the previous round. OPAQUE is modular, so the CFRG will need to make choices for each of the component parts. On one hand, the computational cost cannot be clearly known without picking all of the components. On the other hand, there are reasonable choices for all of the components that fit well with TLS 1.3 and IKEv2, and if a problem is ever found with a particular choice, there are replacements already on the shelf. Assuming very reasonable choices for the components, OPAQUE uses less computation that AuCPace. In addition, OPAQUE is "post-quantum prepared". That is, the modular design allows post-quantum components to be selected after the NIST competition is complete. The biggest downside was already raise by Scott Fluhrer, and that is the lack of "quantum annoyance". Despite this downside, in my view, the modularity and reduced computational cost tilt the scale in favor of OPAQUE. Balanced PAKE (CPace vs SPAKE2) RECOMMENDATION: CPace CPace requires fewwer elliptic curve operations by each party. CPace has better "quantum annoyance" than SPAKE2. Neither algorithm is "post-quantum prepared". (In fact, Watson Ladd said "SPAKE2 is unlikely to have a post-quantum alternative".) The lack of response to the Third Party IPR disclose against SPAKE2 is also a significant concern.
- [Crypto-panel] Round 2 Stage 4 of PAKE selection … Russ Housley