Re: [openpgp] [PATCH] RFC4880bis: Argon2i

Simon Josefsson <simon@josefsson.org> Thu, 05 November 2015 11:33 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 056471ACE85 for <openpgp@ietfa.amsl.com>; Thu, 5 Nov 2015 03:33:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id duDuND0KTVAa for <openpgp@ietfa.amsl.com>; Thu, 5 Nov 2015 03:33:50 -0800 (PST)
Received: from duva.sjd.se (duva.sjd.se [IPv6:2001:9b0:1:1702::100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B6201ACE81 for <openpgp@ietf.org>; Thu, 5 Nov 2015 03:33:50 -0800 (PST)
Received: from android-d7bdb37305f05cf4 (m90-141-210-239.cust.tele2.se [90.141.210.239]) (authenticated bits=0) by duva.sjd.se (8.14.4/8.14.4/Debian-4) with ESMTP id tA5BXFtK000995 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 5 Nov 2015 12:33:21 +0100
User-Agent: K-9 Mail for Android
In-Reply-To: <CADZ5=vs6_RJ1E89VyMHTv1WwHD_y+0+Sf_jb7bxrN0-2G3tKCg@mail.gmail.com>
References: <5623AA95.4060903@googlemail.com> <874mh3q3ol.fsf@alice.fifthhorseman.net> <56385818.2000606@googlemail.com> <20151103092006.3cd3e900@latte.josefsson.org> <CABtrr-W_24_CumkdGuxW4Ve=NUA_7qa0v=utbaWN0CDoodhfpw@mail.gmail.com> <CADZ5=vtV20dMua+D0O_0Hc8OAXwv0ej-VnH=B2NMj2fZK23jpQ@mail.gmail.com> <CABtrr-XVhGitJVik96Xc3kRbUH8ZoGPArdaNoKgOZtK7fPGVCQ@mail.gmail.com> <563955F4.9030607@cs.tcd.ie> <87mvus26qp.fsf@latte.josefsson.org> <CADZ5=vs6_RJ1E89VyMHTv1WwHD_y+0+Sf_jb7bxrN0-2G3tKCg@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
From: Simon Josefsson <simon@josefsson.org>
Date: Thu, 05 Nov 2015 12:31:22 +0100
To: Alex Biryukov <alex.biryukov@uni.lu>
Message-ID: <B93BD8EB-6D1D-48C2-90A2-64EABFA06A81@josefsson.org>
X-Virus-Scanned: clamav-milter 0.98.7 at duva.sjd.se
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/openpgp/MjWklffWzjLtQivs6aMqUaaR0Ug>
Cc: Nils Durner <ndurner@googlemail.com>, "openpgp@ietf.org" <openpgp@ietf.org>, Dmitry Khovratovich <khovratovich@gmail.com>, Daniel Dinu <dumitru-daniel.dinu@uni.lu>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Joseph Lorenzo Hall <joe@cdt.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [openpgp] [PATCH] RFC4880bis: Argon2i
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 11:33:53 -0000

There is not a lot of cryptocurrency standardisation going on in the IETF, alas. What do you think about using the term "proof of work" in the title instead? It appears to be the cryptographic property that cryptocurrencies (and other applications!) want from a primitive. I perceive that other PoW-ideas may be standardized in the IETF before currencies are.

Have you or anyone provided security reductions for Argon2 btw? Similar to the reductions that are available for Catena.  They would help to substantiate any claims in the document that Argon2 is secure for its intended uses.

/Simon

Alex Biryukov <alex.biryukov@uni.lu> skrev: (5 november 2015 12:07:17 CET)
>We discussed it briefly, would it be possible to add "cryptocurrency"
>to
>the title to cover two main usage areas. Then it would  make sense to
>keep
>both Argon2i and Argon2d in the standard.
>
>"The memory-hard Argon2 password and cryptocurrency hash function
>draft-josefsson-argon2-00
>
>
>On Thu, Nov 5, 2015 at 9:25 AM, Simon Josefsson <simon@josefsson.org>
>wrote:
>
>> We have now pushed out a -00 strawman on Argon2 in ID form:
>>
>> https://tools.ietf.org/html/draft-josefsson-argon2-00
>>
>> I'm not happy with the explanation of the H' and G functions, and the
>> permutation P (from BLAKE2b) and the indexing section are missing.
>> Reference code in a higher-level language like python would be
>useful.
>> If those things, and an ASN.1 schema is added, I believe the document
>> would be good to go.
>>
>> We need to have an IETF discussion whether we are interested in the
>> Argon2d non-side-channel safe variant.  The Argon2 paper implies that
>> the Argon2i side-channel safe variant is for "dangerous settings"
>where
>> you need side-channel safety.  For Internet use I believe we have
>> already passed the point where we can ignore side-channel concerns,
>> since they have been used in several successful attacks already. 
>This
>> could be resolved in the security considerations, but I'm concerned
>> about giving people too much rope here.
>>
>> /Simon
>>
>> Stephen Farrell <stephen.farrell@cs.tcd.ie> writes:
>>
>> > Hiya,
>> >
>> > One way to handle this might be to add the winners as
>> > co-authors on the Internet-draft. In that case, the
>> > draft boilerplate text says that you're following the IETF
>> > IPR rules and hence would have filed an IPR declaration
>> > if one was needed. And if none is needed, we'd be done.
>> >
>> > I'm sure we can figure other options but the above would
>> > be easiest from the IETF point of view.
>> >
>> > Cheers,
>> > S.
>> >
>> > On 03/11/15 11:56, Joseph Lorenzo Hall wrote:
>> >> Congratulations btw on winning the competition!
>> >>
>> >> Kathleen and Stephen can confirm, but I believe you don't have to
>do
>> >> anything in terms of adding any language in this case (no patent
>> >> issued/sought, patent pending, etc.). When/if the document is
>adopted by
>> >> the working group, the chair will request any disclosures.
>> >>
>> >>
>> >>
>> >> On Tuesday, November 3, 2015, Alex Biryukov <alex.biryukov@uni.lu>
>> wrote:
>> >>
>> >>> Hi all,
>> >>>
>> >>> We were not intending to patent it, so we can add a sentence
>about it.
>> >>> Suggestions of lawyer-happy phrases are welcome.
>> >>>
>> >>> Alex
>> >>>
>> >>> On Tue, Nov 3, 2015 at 10:47 AM, Joseph Lorenzo Hall <joe@cdt.org
>> >>> <javascript:_e(%7B%7D,'cvml','joe@cdt.org');>> wrote:
>> >>>
>> >>>> At IETF94 one question that came up in trying to move quickly to
>> >>>> support Argon2 is the potential IPR that might be in Argon2. The
>code
>> >>>> available now [1] is CC0 which, AFAICT, doesn't have any patent
>grant
>> >>>> or implication for patents, etc., meaning the authors could
>still
>> >>>> claim something, precluding it from use without a waiver (or
>whatever,
>> >>>> IANAL)
>> >>>>
>> >>>> I'll CC the Argon2 authors (on the Argon2 spec [2]) here and see
>if we
>> >>>> can clarify any potential IPR and whether that might affect
>using it
>> >>>> in the future in OpenPGP.
>> >>>>
>> >>>> best, Joe
>> >>>>
>> >>>> [1]: https://github.com/p-h-c/phc-winner-argon2
>> >>>> [2]: https://password-hashing.net/argon2-specs.pdf
>> >>>>
>> >>>> On Tue, Nov 3, 2015 at 5:20 PM, Simon Josefsson
><simon@josefsson.org
>> >>>> <javascript:_e(%7B%7D,'cvml','simon@josefsson.org');>> wrote:
>> >>>>> Den Tue, 3 Nov 2015 07:45:44 +0100
>> >>>>> skrev Re: [openpgp] [PATCH] RFC4880bis: Argon2i:
>> >>>>>
>> >>>>>> Hi Daniel,
>> >>>>>>
>> >>>>>>> If we introduce this as a normative dependency for OpenPGP,
>though,
>> >>>>>>> we might also want to have an IETF RFC for Argon2.  Do you
>know of
>> >>>>>>> anyone working on such a draft?
>> >>>>>>
>> >>>>>> Simon Josefsson has expressed interest in helping with that.
>> >>>>>> @Simon: are you working on this?
>> >>>>>
>> >>>>> I started on an Argon2 draft but after talking to the Argon2
>team we
>> >>>>> decided to wait until Argon2 was finalized.  I suppose now is a
>good
>> >>>>> time to resume that work.  I'll put something up on gitlab.com
>so
>> >>>>> people can review and help.  If anyone wants to help, please
>let me
>> >>>>> know and we'll coordinate something.
>> >>>>>
>> >>>>> /Simon
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> openpgp mailing list
>> >>>>> openpgp@ietf.org
><javascript:_e(%7B%7D,'cvml','openpgp@ietf.org');>
>> >>>>> https://www.ietf.org/mailman/listinfo/openpgp
>> >>>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> --
>> >>>> Joseph Lorenzo Hall
>> >>>> Chief Technologist
>> >>>> Center for Democracy & Technology
>> >>>> 1634 I ST NW STE 1100
>> >>>> Washington DC 20006-4011
>> >>>> (p) 202-407-8825
>> >>>> (f) 202-637-0968
>> >>>> joe@cdt.org <javascript:_e(%7B%7D,'cvml','joe@cdt.org');>
>> >>>> PGP: https://josephhall.org/gpg-key
>> >>>> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>> >>>>
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> ---------------------------------
>> >>> Prof. Dr. Alex Biryukov,
>> >>> FSTC/CSC, University of Luxembourg,
>> >>> 6, rue Richard Coudenhove-Kalergi,
>> >>> L-1359 Luxembourg-Kirchberg
>> >>> LUXEMBOURG
>> >>> Tel:  +352 46 66 44 6793
>> >>> Fax: +352 46 66 44 5500
>> >>>
>> >>
>> >>
>>

-- 
Skickat från min Android-telefon med K-9 E-post. Ursäkta min fåordighet.