IETF
cfrg
cfrg@jabber.ietf.org
Friday, March 12, 2021< ^ >
synp has set the subject to: CFRG meeting (109 online)
Room Configuration
Room Occupants

GMT+0
[00:58:19] Alexey Melnikov leaves the room
[06:39:14] zulipbot leaves the room: Disconnected: closed
[06:39:19] zulipbot joins the room
[06:41:15] zulipbot leaves the room: Disconnected: closed
[06:41:27] zulipbot joins the room
[06:48:28] zulipbot leaves the room: Disconnected: closed
[06:48:42] zulipbot joins the room
[06:49:31] zulipbot leaves the room: Disconnected: closed
[06:49:48] zulipbot joins the room
[06:51:39] glen joins the room
[06:51:41] glen leaves the room
[06:58:48] zulipbot leaves the room: Disconnected: closed
[07:10:39] mcint joins the room
[07:10:52] zulipbot joins the room
[07:12:05] glen joins the room
[07:12:09] glen leaves the room
[07:29:15] zulipbot leaves the room: Disconnected: closed
[07:29:21] zulipbot joins the room
[11:04:55] Alexey Melnikov joins the room
[11:40:53] Alexey Melnikov leaves the room
[11:41:53] Yoshiro Yoneya joins the room
[11:47:42] Meetecho joins the room
[11:47:53] athompson joins the room
[11:50:01] sftcd joins the room
[11:50:03] Stanislav Smyshlyaev_web_315 joins the room
[11:50:03] Deb Cooley_web_989 joins the room
[11:50:03] Stefan-Lukas Gazdag_web_835 joins the room
[11:50:03] Giles Van Assche_web_501 joins the room
[11:50:03] Nasrul Zikri_web_174 joins the room
[11:50:03] Alyssa Thompson_web_799 joins the room
[11:50:03] Chelsea Komlo_web_149 joins the room
[11:50:03] Paolo Saviano_web_766 joins the room
[11:50:03] Björn Haase_web_235 joins the room
[11:50:35] Alyssa Thompson_web_799 leaves the room
[11:50:37] Robin Wilton_web_103 joins the room
[11:50:42] Nick Sullivan_web_828 joins the room
[11:50:58] sofia celi joins the room
[11:51:19] Richard Barnes_web_755 joins the room
[11:52:30] Quynh Dang_web_720 joins the room
[11:52:48] <Paolo Saviano_web_766> yes we can hear you
[11:52:49] <Deb Cooley_web_989> yes'
[11:52:53] <Stefan-Lukas Gazdag_web_835> yes
[11:53:04] Clint McKay_web_936 joins the room
[11:53:17] Watson Ladd_web_254 joins the room
[11:53:25] Christopher Wood_web_994 joins the room
[11:53:38] Randy Bush_web_661 joins the room
[11:53:50] <Watson Ladd_web_254> The topic says 109 and it's done that in a few differen meetings
[11:53:59] Armando Faz-Hernández_web_928 joins the room
[11:54:14] Sofia Celi_web_660 joins the room
[11:54:32] Chelsea Komlo_web_149 leaves the room
[11:54:58] Giles Van Assche_web_501 leaves the room
[11:55:11] Giles Van Assche_web_518 joins the room
[11:55:27] Yoav Nir_web_699 joins the room
[11:55:28] Alexey Melnikov_web_334 joins the room
[11:55:33] Göran Selander_web_193 joins the room
[11:55:39] Daiki Ueno_web_718 joins the room
[11:55:57] Scott Fluhrer_web_411 joins the room
[11:56:37] cw-ietf joins the room
[11:56:57] Erik Kline_web_891 joins the room
[11:56:59] Rob Austein_web_447 joins the room
[11:57:02] Luigi Iannone_web_268 joins the room
[11:57:08] Benjamin Kaduk_web_822 joins the room
[11:57:31] cw-ietf leaves the room
[11:57:37] Chris Lemmons_web_873 joins the room
[11:57:39] Kirsty Paine_web_375 joins the room
[11:58:00] Steven Valdez_web_646 joins the room
[11:58:27] Shu-Fang Hsu_web_182 joins the room
[11:58:31] Stephen Farrell_web_948 joins the room
[11:58:38] Shu-Fang Hsu_web_182 leaves the room
[11:58:46] Stuart Card_web_271 joins the room
[11:58:54] Dan McArdle_web_706 joins the room
[11:59:00] Rich Salz_web_489 joins the room
[11:59:01] Bill Munyan_web_635 joins the room
[11:59:14] Jonathan Hammell_web_232 joins the room
[11:59:27] Chelsea Komlo_web_663 joins the room
[11:59:30] Steffen Klassert_web_143 joins the room
[11:59:33] Thomas Fossati_web_347 joins the room
[11:59:34] Shu-Fang Hsu_web_197 joins the room
[11:59:35] Stavros Kousidis_web_454 joins the room
[11:59:50] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[11:59:57] Burt Kaliski_web_556 joins the room
[11:59:59] athompson joins the room
[12:00:09] Dan Harkins_web_587 joins the room
[12:00:15] Jonathan Hoyland_web_147 joins the room
[12:00:18] Ira McDonald_web_152 joins the room
[12:00:25] <Watson Ladd_web_254> we can hear you!
[12:00:25] Scott Fluhrer_web_411 leaves the room
[12:00:26] <Rich Salz_web_489> have to set it via a jabber client.
[12:00:26] Yumi Sakemi_web_770 joins the room
[12:00:29] Valery Smyslov_web_128 joins the room
[12:00:31] Scott Fluhrer_web_853 joins the room
[12:00:33] Julia Len_web_961 joins the room
[12:00:40] Satoru Kanno_web_916 joins the room
[12:00:42] Martin Thomson_web_546 joins the room
[12:00:50] Tommy Pauly_web_605 joins the room
[12:01:09] <Watson Ladd_web_254> slides have not advanced
[12:01:21] jhoyla joins the room
[12:01:23] Joseph Salowey_web_269 joins the room
[12:01:37] Alessandro Amirante_web_828 joins the room
[12:01:47] Daniel Migault_web_959 joins the room
[12:02:02] <Ira McDonald_web_152> no slides are turning
[12:02:05] Jeffrey Yasskin_web_752 joins the room
[12:02:19] Mike Bishop_web_600 joins the room
[12:02:20] Russ Housley_web_509 joins the room
[12:02:26] Kyle Hogan_web_292 joins the room
[12:02:32] Colin Perkins_web_414 joins the room
[12:02:42] Hugo Kobayashi_web_690 joins the room
[12:02:47] <Deb Cooley_web_989> and possibly put it into slide show mode?
[12:03:10] Alessandro Amirante_web_828 leaves the room
[12:03:14] cw-ietf joins the room
[12:03:19] Kyle Hogan joins the room
[12:03:21] Akbar Rahman_web_383 joins the room
[12:03:38] Kyle Rose_web_162 joins the room
[12:03:40] Tero Kivinen_web_628 joins the room
[12:03:50] Alyssa Thompson_web_691 joins the room
[12:04:08] David Oliver_web_760 joins the room
[12:04:12] Alexander Mayrhofer_web_959 joins the room
[12:04:13] Jonathan Hoyland_web_147 leaves the room
[12:04:30] kaduk@jabber.org/barnowl joins the room
[12:04:34] Jonathan Hoyland_web_159 joins the room
[12:04:45] Alex Davidson_web_481 joins the room
[12:04:50] Peter Koch_web_686 joins the room
[12:04:51] Paolo Saviano_web_766 leaves the room
[12:04:51] Watson Ladd_web_254 leaves the room
[12:04:56] Paolo Saviano_web_873 joins the room
[12:04:57] Watson Ladd_web_677 joins the room
[12:05:10] <Alexey Melnikov_web_334> @Deb: Stanislav tried, it didn't work
[12:05:12] Alexander Mayrhofer_web_959 leaves the room
[12:05:22] synp joins the room
[12:06:07] synp has set the subject to: CFRG meeting (110 online)
[12:06:42] <Kyle Rose_web_162> IRTF chair privilege :-)
[12:06:52] Matthew Finkel_web_717 joins the room
[12:07:02] <Yoav Nir_web_699> (Finally figured out where to set the topic in my phone client)
[12:07:06] Steven Valdez_web_646 leaves the room
[12:07:11] Steven Valdez_web_253 joins the room
[12:07:22] <Martin Thomson_web_546> Argon has 2, Kangaroo has 12.  These names...
[12:07:29] Chi-Jiun Su_web_883 joins the room
[12:07:33] <Watson Ladd_web_677> computers: just because we make them doesn't mean we know how how to use them
[12:07:34] Taiji Kimura_web_300 joins the room
[12:07:56] Dmitry Belyavskiy_web_493 joins the room
[12:08:56] Phillip Hallam-Baker_web_488 joins the room
[12:09:30] <Colin Perkins_web_414> This RG is /really/ good at acronyms... can't keep up :)
[12:10:04] Chi-Jiun Su_web_883 leaves the room
[12:10:38] John Preuß Mattsson_web_784 joins the room
[12:10:42] Burt Kaliski_web_556 leaves the room
[12:11:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:11:58] athompson joins the room
[12:12:58] Joseph Salowey_web_269 leaves the room
[12:13:00] Jon Hudson_web_600 joins the room
[12:13:03] Joseph Salowey_web_482 joins the room
[12:13:03] Tero Kivinen_web_628 leaves the room
[12:13:07] Tero Kivinen_web_539 joins the room
[12:14:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:14:58] athompson joins the room
[12:16:02] Alexey Melnikov_web_334 leaves the room
[12:16:08] Alexey Melnikov_web_133 joins the room
[12:16:15] <Martin Thomson_web_546> What do you believe needs to happen to finish this work?
[12:17:17] <Giles Van Assche_web_518> @Martin: for me it is finished modulo confirmations.
[12:18:43] Burt Kaliski_web_761 joins the room
[12:20:29] Daiki Ueno_web_718 leaves the room
[12:20:34] Daiki Ueno_web_155 joins the room
[12:21:05] Burt Kaliski_web_761 leaves the room
[12:21:43] Christian Elmerot_web_443 joins the room
[12:21:43] Burt Kaliski_web_269 joins the room
[12:21:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:21:52] Michael StJohns_web_745 joins the room
[12:21:58] athompson joins the room
[12:22:33] <Martin Thomson_web_546> Thanks Giles.
[12:23:14] Burt Kaliski_web_269 leaves the room
[12:24:10] Burt Kaliski_web_960 joins the room
[12:24:33] Jean-Michel Combes_web_127 joins the room
[12:25:30] Jean-Michel Combes_web_127 leaves the room
[12:25:34] Jean-Michel Combes_web_518 joins the room
[12:25:40] Satoru Kanno_web_916 leaves the room
[12:25:44] Satoru Kanno_web_802 joins the room
[12:25:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:25:58] athompson joins the room
[12:26:52] <Richard Barnes_web_755> @Colin - they also take it to the next level by requiring that every acronym be followed by several digits
[12:27:07] <Martin Thomson_web_546> Could these suggestions be raised as issues on the h2c draft, or maybe as suggested text?
[12:27:10] Jennifer Gabriel_web_423 joins the room
[12:27:21] <kaduk@jabber.org/barnowl> Do the digits need to be selected from a CSPRNG?
[12:27:28] Chonggang Wang_web_830 joins the room
[12:27:45] <Richard Barnes_web_755> that's the only way i can imagine we arrived at X25519
[12:28:01] Sergey Myasoedov_web_590 joins the room
[12:28:10] <Martin Thomson_web_546> 25519 is 2^255-19, so it's fairly obvious how we got there.
[12:28:21] <Richard Barnes_web_755> i was joking, martin
[12:28:22] <Jeffrey Yasskin_web_752> Next innovation: include all of: a number of rounds, an exponent, and a version number.
[12:28:27] Matthias Hudobnik_web_757 joins the room
[12:28:41] <Watson Ladd_web_677> ChaCha20Poly1305v1
[12:28:43] <Martin Thomson_web_546> I am clearly not alert enough to pick up on sarcasm.
[12:28:47] <Deb Cooley_web_989> animal choice is also via a RNG
[12:28:56] <Robin Wilton_web_103> Wait, is this for a naming convention, or a set of password rules?
[12:29:06] <Richard Barnes_web_755> Pony35Salmon167v5
[12:29:09] Daiki Ueno_web_155 leaves the room
[12:29:13] Daiki Ueno_web_135 joins the room
[12:29:14] <Deb Cooley_web_989> ^^^
[12:29:14] <Robin Wilton_web_103> ^3
[12:29:26] Frederic Jacobs_web_296 joins the room
[12:29:30] <Martin Thomson_web_546> Name of first pet plus street name of first house.
[12:29:53] <Deb Cooley_web_989> house number
[12:29:56] <Robin Wilton_web_103> Code Violation - Fined 5 Credits
[12:29:58] <Rich Salz_web_489> No, that conflicts with your adult entertainment name
[12:30:06] <Deb Cooley_web_989> whoops
[12:30:21] Dan McArdle_web_706 leaves the room
[12:30:23] <Robin Wilton_web_103> I see it's IETFriday, then...
[12:30:25] Dan McArdle_web_951 joins the room
[12:30:31] <Martin Thomson_web_546> Mother's maiden name, plus the last 4 digits of social security number.
[12:30:44] <Richard Barnes_web_755> very much that vibe robin
[12:30:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:30:58] athompson joins the room
[12:31:13] Tadahiko Ito_web_426 joins the room
[12:32:59] Brad Gorman_web_509 joins the room
[12:33:50] <Watson Ladd_web_677> thanks!
[12:34:03] <Deb Cooley_web_989> some spelled alligator wrong.
[12:34:08] <Deb Cooley_web_989> someone
[12:34:17] Armando Faz-Hernández_web_928 leaves the room
[12:34:23] Armando Faz-Hernández_web_962 joins the room
[12:34:49] <Martin Thomson_web_546> it's fairly clear that misspelling is expected
[12:34:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:34:58] athompson joins the room
[12:34:59] <Watson Ladd_web_677> the comment I didn't make at the mike because it's completely technical: you can commute the isogeny in elligator and the multiplication if you really care
[12:36:03] <Watson Ladd_web_677> we need an isogneny based prime order group called Croc-ell-dile
[12:36:25] <Richard Barnes_web_755> Crocidelle
[12:36:45] <Richard Barnes_web_755> Crocodelle
[12:36:52] Satoru Kanno_web_802 leaves the room
[12:37:04] Satoru Kanno_web_376 joins the room
[12:37:32] Erik Kline_web_891 leaves the room
[12:37:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:37:58] athompson joins the room
[12:42:45] Martin Thomson_web_546 leaves the room
[12:42:50] Martin Thomson_web_798 joins the room
[12:44:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:44:58] athompson joins the room
[12:45:09] <Dan Harkins_web_587> leave external mode to an RFC to update this one if the need arises.
[12:47:02] Benjamin Schwartz_web_563 joins the room
[12:47:22] <Rich Salz_web_489> That seems cleaner Dan.
[12:47:27] <Jonathan Hoyland_web_159> Do you have to generate the fake response in constant time?
[12:47:51] <Richard Barnes_web_755> I thought Chris's justification about fitting it in the analysis envelope compelling
[12:49:55] <Robin Wilton_web_103> Might the solutions to #22 also help defend against so-called "ghost" proposals   (i.e. attempts to add silent listeners to encrypted conversations by, in part, suppressing things like key roll-over messages)?
[12:50:12] <Jeffrey Yasskin_web_752> Is the overall threat model for this documented somewhere? In draft-irtf-cfrg-opaque-03, I only see defense against offline attacks when the server is compromised and the attacker doesn't know usernames and passwords, but then the defense against an attacker who *knows* the username+password doesn't fit in.
[12:50:22] Rob Austein_web_447 leaves the room
[12:50:22] Justus Winter_web_834 joins the room
[12:50:26] Rob Austein_web_744 joins the room
[12:50:29] <Watson Ladd_web_677> who knows the username and password?
[12:50:41] Jeffrey Yasskin_web_752 leaves the room
[12:50:42] Chelsea Komlo_web_663 leaves the room
[12:50:47] Jeffrey Yasskin_web_614 joins the room
[12:50:47] Chelsea Komlo_web_603 joins the room
[12:50:55] <Jeffrey Yasskin_web_614> The #84 slide seemed to assume an attacker who uses the username+password to recover a private key.
[12:51:06] <Jeffrey Yasskin_web_614> I could be misunderstanding.
[12:51:11] <Watson Ladd_web_677> no, this is probing the registration to see if a user exists
[12:51:30] <Jeffrey Yasskin_web_614> That was #22
[12:51:39] Frederic Jacobs_web_296 leaves the room
[12:51:42] <Christopher Wood_web_994> Yeah, the issue is an attacker specifically trying to learn if a client exists
[12:51:43] Frederic Jacobs_web_875 joins the room
[12:51:48] Frederic Jacobs_web_875 leaves the room
[12:52:07] Frederic Jacobs_web_307 joins the room
[12:52:15] <Watson Ladd_web_677> #84? no that's not security, just convenience
[12:52:23] <Watson Ladd_web_677> at least as far as I understand it
[12:52:27] Robert Moskowitz_web_995 joins the room
[12:52:31] <Jeffrey Yasskin_web_614> Defense against learning that a client exists is also not in an obvious place in the draft though.
[12:52:56] <Christopher Wood_web_994> #84 is convenience
[12:53:00] <Christopher Wood_web_994> #22 is security
[12:53:16] <Jeffrey Yasskin_web_614> I misunderstood the slide then, thanks.
[12:53:18] <Christopher Wood_web_994> @Jeffrey issues against the draft welcome :)
[12:53:36] <Jeffrey Yasskin_web_614> I will try to file a coherent one. :)
[12:53:41] <Christopher Wood_web_994> Thanks!
[12:53:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:53:58] athompson joins the room
[12:54:26] <Christopher Wood_web_994> > Do you have to generate the fake response in constant time?
@Jonathan: The proposed change runs the same server procedure for existent and non-existent users, but there is some external and unavoidable application goop that runs to determine if a user exists or not
[12:54:28] Robert Moskowitz joins the room
[12:55:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:55:58] athompson joins the room
[12:56:43] Yunchul Choi_web_427 joins the room
[12:57:51] Jennifer Gabriel_web_423 leaves the room
[12:58:11] Georgia Fragkouli_web_960 joins the room
[12:58:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[12:58:52] Alex Davidson_web_481 leaves the room
[12:58:58] athompson joins the room
[12:59:58] <Deb Cooley_web_989> someone has a hot mic, or a purring cat?
[13:00:13] <Richard Barnes_web_755> i was finding the purring comforting
[13:00:15] <Jonathan Hoyland_web_159> It's probably Chris' snoring dog.
[13:00:17] <Richard Barnes_web_755> might be Wood's dog
[13:00:25] <Deb Cooley_web_989> oh that's probably is.
[13:00:26] <Deb Cooley_web_989> it
[13:00:28] <Martin Thomson_web_798> it's a bear
[13:00:35] <Richard Barnes_web_755> Wood's dogs are bear-sized
[13:00:39] <Deb Cooley_web_989> it does sound more like snoring
[13:00:48] <Rich Salz_web_489> ASMR for 111 anyone?
[13:04:00] Herman Ramos_web_990 joins the room
[13:04:11] <John Preuß Mattsson_web_784> It's manbearpig
[13:04:44] <Richard Barnes_web_755> further reliance on RSA makes me pretty sad
[13:04:47] <Watson Ladd_web_677> n of n is not that bad via multiplicatively splitting d and working with N everywhere. also can remove bits from the signature and recover them via continued fractions. but that's very much not supported. it's in DJB's papers in the MSRI book
[13:06:18] Satoru Kanno_web_376 leaves the room
[13:06:44] Stefan-Lukas Gazdag_web_835 leaves the room
[13:06:50] <Robin Wilton_web_103> I think Chris' dog is either unimpressed,  bored, or both ;^o
[13:06:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[13:06:59] athompson joins the room
[13:07:08] <Deb Cooley_web_989> might need a picture
[13:07:13] <Deb Cooley_web_989> of the dog
[13:07:16] <Deb Cooley_web_989> pig
[13:07:19] <Deb Cooley_web_989> whatever
[13:07:19] <Robin Wilton_web_103> bear
[13:07:21] <Watson Ladd_web_677> +1 to Deb
[13:07:22] <Mike Bishop_web_600> It's 5 AM there, no?  Surely just still asleep.
[13:07:24] <Alexey Melnikov_web_133> Chris' ability to talk despite the snoring is impressive :-)
[13:07:49] <Deb Cooley_web_989> he probably doesn't hear it anymore.
[13:07:51] <Rich Salz_web_489> clarifying question: can we see the dog
[13:07:52] <Christopher Wood_web_994> LOL.
[13:08:06] <Deb Cooley_web_989> picture, seriously
[13:08:11] <Steven Valdez_web_253> +1
[13:08:12] <John Preuß Mattsson_web_784> +1
[13:08:17] <Deb Cooley_web_989> #sorrynotsorry
[13:08:38] <Robin Wilton_web_103> :bear:
[13:08:50] <Martin Thomson_web_798> this is not a cute dog.  it's bigger than Chris
[13:09:45] <John Preuß Mattsson_web_784> 1) Yes,
2) Probably, but not ruling out other types of blind signatures.
[13:09:56] <Kyle Rose_web_162> WTH is that?
[13:09:57] <Richard Barnes_web_755> Chris: maybe you could mute the dog while other folks are talking :)
[13:10:19] <Christopher Wood_web_994> Done
[13:10:23] Matthias Hudobnik_web_757 leaves the room
[13:12:42] Richard Barnes_web_755 leaves the room
[13:12:48] Richard Barnes_web_718 joins the room
[13:15:05] Stephen Strowes_web_899 joins the room
[13:15:30] Stephen Strowes_web_899 leaves the room
[13:15:36] Stephen Strowes_web_900 joins the room
[13:15:47] Park Jung-Soo_web_263 joins the room
[13:17:52] <Deb Cooley_web_989> Is the dog his Github avatar?
[13:18:51] <Steven Valdez_web_253> Might make more sense to build the abstraction to surround RSA Blind or VOPRF in the privacy pass protocol, rather than trying to pre-abstract it here?
[13:18:55] <Kirsty Paine_web_375> thanks for the presentation, Chris
[13:19:22] <Joseph Salowey_web_482> @steven I was thinking similarly
[13:19:57] Sofia Celi_web_660 leaves the room
[13:19:57] <Frederic Jacobs_web_307> @steven: Agreed.
[13:20:04] Sofia Celi_web_151 joins the room
[13:20:42] <kaduk@jabber.org/barnowl> dkg, did you know you have a protocol?
[13:20:44] Matthew Finkel_web_717 leaves the room
[13:21:14] <Richard Barnes_web_718> the protocol is: dkg hands out some keys
[13:21:27] <Alexey Melnikov_web_133> We all trust DKG :-)
[13:21:44] <Yoav Nir_web_699> This is the second time this happens in 110
[13:22:09] <Yoav Nir_web_699> There was dkgpg in OpenPGP
[13:22:12] Burt Kaliski_web_960 leaves the room
[13:22:16] Burt Kaliski_web_375 joins the room
[13:22:26] <Robin Wilton_web_103> +1 Yesterday DKG refuted the assertion that he is Linus.
[13:22:29] Stephen Strowes_web_900 leaves the room
[13:22:42] <Robin Wilton_web_103> (Next he'll be denying that he's Satoshi)
[13:22:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[13:22:53] <Robert Moskowitz> So Charlie Brown?
[13:22:59] athompson joins the room
[13:23:04] <Robert Moskowitz> Oops wrong Linus.  :)
[13:23:09] <Robin Wilton_web_103> ;^)
[13:23:36] Burt Kaliski_web_375 leaves the room
[13:23:41] <Robin Wilton_web_103> IIRC the one with the keys is Schroeder.
[13:23:55] <Robert Moskowitz> !
[13:24:01] <John Preuß Mattsson_web_784> I think mandating how to generate the nonces was a mistake.
[13:24:27] <Richard Barnes_web_718> fortunately, the mistake is not visible to the verifier (IIRC)
[13:24:33] <kaduk@jabber.org/barnowl> So who is Needham, then?
[13:24:36] <Richard Barnes_web_718> so you can fix it and still be compatible with verifiers
[13:24:37] <Yoav Nir_web_699> Huh.  Seems like Mr Gilmore is not even in the room
[13:24:48] Burt Kaliski_web_975 joins the room
[13:24:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[13:25:00] athompson joins the room
[13:25:11] <Robert Moskowitz> All the easier for hoim to hand out keys anonymously.
[13:25:17] <Martin Thomson_web_798> a DKG seems like future work, separate from this
[13:25:49] <kaduk@jabber.org/barnowl> Ah, dkg is in danish, and I just got confused about which of the two
he was talking in (I'm in both)
[13:25:51] <Richard Barnes_web_718> good point, martin
[13:25:56] <Robin Wilton_web_103> @Ben That's very good!
[13:25:59] Alex Davidson_web_181 joins the room
[13:26:21] Zachary Newman_web_628 joins the room
[13:26:37] Matthew Finkel_web_949 joins the room
[13:26:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[13:26:58] athompson joins the room
[13:27:21] <Martin Thomson_web_798> BTW, if you want DKG to sign something, then he has a font: https://pkgs.org/download/fonts-dkg-handwriting
[13:28:10] Alexey Melnikov_web_133 leaves the room
[13:28:14] Alexey Melnikov_web_590 joins the room
[13:29:46] Mike StJohns joins the room
[13:29:46] Daiki Ueno_web_135 leaves the room
[13:30:01] <Christopher Wood_web_994> By popular demand: https://imgur.com/a/JL5BCED
[13:30:03] <Mike StJohns> anyone know if there's an implementation of this yet?
[13:30:14] <Phillip Hallam-Baker_web_488> Keep DKG out, if you are doing DKG for signature, you will want it for key agreement.
[13:30:49] <sofia celi> +1000 @Christopher Wood_web_994  
[13:31:42] Frederic Jacobs_web_307 leaves the room
[13:31:43] <Richard Barnes_web_718> @MSJ: i sketched up an initial 25519 implementation based on an earlier version, but as Chelsea points out, it's insecure
[13:31:46] Frederic Jacobs_web_469 joins the room
[13:31:54] <Rich Salz_web_489> Thanks @Chris!
[13:31:59] <Mike StJohns> because of the deterministic nonce.. ?
[13:32:09] <Rich Salz_web_489> I fully support your draft now.
[13:32:19] <Christopher Wood_web_994> Hah! :-)
[13:32:21] <Richard Barnes_web_718> @MSG yep
[13:32:38] <Richard Barnes_web_718> this is a really clever attack
[13:32:49] Frederic Jacobs_web_469 leaves the room
[13:32:51] Rich Salz_web_489 leaves the room
[13:32:53] Frederic Jacobs_web_413 joins the room
[13:32:55] Rich Salz_web_378 joins the room
[13:32:56] Frederic Jacobs_web_413 leaves the room
[13:33:02] Frederic Jacobs_web_723 joins the room
[13:33:06] <Martin Thomson_web_798> yeah, this is neat: if you have a small space of potential keys (passwords in particular), this is an efficient search of that space
[13:33:22] <Martin Thomson_web_798> Not sure that I like the current set of countermeasures though.
[13:33:42] <Jonathan Hoyland_web_159> Can't the attacker remove one bit of the keyspace per query?
[13:33:58] <Jonathan Hoyland_web_159> i.e. break 128 bit key space in 128 queries?
[13:34:05] <Watson Ladd_web_677> no, they learn a certain amount of information
[13:34:11] <Watson Ladd_web_677> namely that its in or out of the set
[13:34:21] <Watson Ladd_web_677> but that's less than a bit of if the keyspace is big
[13:34:30] Frederic Jacobs_web_723 leaves the room
[13:34:31] <Martin Thomson_web_798> it's a random slice through the keyspace
[13:34:34] Frederic Jacobs_web_734 joins the room
[13:34:39] Sofia Celi_web_151 leaves the room
[13:34:39] <Martin Thomson_web_798> not a straight 50/50
[13:34:43] Frederic Jacobs_web_734 leaves the room
[13:34:46] Sofia Celi_web_327 joins the room
[13:34:47] Frederic Jacobs_web_289 joins the room
[13:34:55] <Jonathan Hoyland_web_159> Right, so if I include all keys that start with 1 in my first search, and then all keys that start 11 in my second, etc.
[13:35:05] <Watson Ladd_web_677> you can't do that first search
[13:35:26] <Scott Fluhrer_web_853> Question: why is encrypt-then-hmac less efficient than hash key check?
[13:35:34] <Watson Ladd_web_677> the computation of the ciphertext is matrix multiplication exponent  in size of the keyspace
[13:35:42] <Jonathan Hoyland_web_159> Ah, I see.
[13:35:46] <Martin Thomson_web_798> Scott: maybe input length
[13:35:54] <Martin Thomson_web_798> key vs. entire message
[13:36:03] <Jonathan Hoyland_web_159> So you could do that attack, but it would require huge amounts of pre-computation.
[13:36:12] <Richard Barnes_web_718> AES-CTR + HMAC seems like the obvious thing to standardize, since it's what everyone uses anyway
[13:36:20] <Watson Ladd_web_677> no. the message would also be really long
[13:36:21] <Robert Moskowitz> If HMAC is less efficient would using KMAC make up the difference?
[13:36:33] Geng-Da Tsai_web_606 joins the room
[13:36:38] Frederic Jacobs_web_289 leaves the room
[13:36:42] Frederic Jacobs_web_950 joins the room
[13:36:49] <Phillip Hallam-Baker_web_488> So the A part of AEAD doesn't work???
[13:36:55] Frederic Jacobs_web_950 leaves the room
[13:36:59] Frederic Jacobs_web_623 joins the room
[13:37:04] Geng-Da Tsai_web_606 leaves the room
[13:37:08] Geng-Da Tsai_web_223 joins the room
[13:37:20] <Robert Moskowitz> Which A, Phill?
[13:37:29] <Scott Fluhrer_web_853> Phillip: no, these attacks live within the authentication guarantees of GCM/Ppoly.
[13:37:46] Alexey Melnikov_web_590 leaves the room
[13:37:50] Alexey Melnikov_web_593 joins the room
[13:38:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[13:39:00] athompson joins the room
[13:39:04] <Frederic Jacobs_web_623> Remember this one? https://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05
[13:39:07] <Phillip Hallam-Baker_web_488> @Scott so why not use OCB-3?
[13:39:43] <Watson Ladd_web_677> is OCB-3 committing?
[13:39:44] Geng-Da Tsai_web_223 leaves the room
[13:40:11] <Richard Barnes_web_718> Here is the AES-CTR + HMAC construction I wrote up for SFrame https://tools.ietf.org/html/draft-omara-sframe-01#section-4.5.1
[13:40:13] Herman Ramos_web_990 leaves the room
[13:40:48] <Frederic Jacobs_web_623> @Richard: I think factoring that out would be of interest.
[13:40:48] <Richard Barnes_web_718> Note that the reason CTR+HMAC is desirable there (vs. GCM) is that it allows arbitrary truncation of the auth tag, not that it's key committing
[13:41:12] Herman Ramos_web_215 joins the room
[13:41:16] Herman Ramos_web_215 leaves the room
[13:41:25] <Martin Thomson_web_798> minimum entropy -> size of key?
[13:41:46] <Benjamin Schwartz_web_563> Martin: Strictly, number of keys
[13:41:48] Ira McDonald_web_152 leaves the room
[13:41:53] Ira McDonald_web_476 joins the room
[13:42:10] <Martin Thomson_web_798> I measure entropy in bits, but sure.
[13:42:16] <Watson Ladd_web_677> not nits
[13:42:24] <Benjamin Schwartz_web_563> I believe (perhaps incorrectly) that this attack relies on the attacker knowing that only a subset of the keyspace is actually in use
[13:42:42] <Benjamin Schwartz_web_563> (and knowing roughly which subset that is)
[13:43:06] <Watson Ladd_web_677> yes, but there's another thing not really discussed in the slides. which is someone who knows the key computing a message that decrypts differently under a different key e.g. in content moderation
[13:44:58] Jan Včelák_web_699 joins the room
[13:45:43] <Julia Len_web_961> "i.e. break 128 bit key space in 128 queries?" @Jonathan Hoyland: not sure if this was answered yet but the limiting factor here is generating the ciphertexts. The length is proportional to the number of keys and it takes about O(k^2), where k = number of keys, to compute the ciphertext. But otherwise, would be a cool hypothetical attack!
[13:46:27] <Jonathan Hoyland_web_159> @Julia I see, thanks :blush:
[13:46:43] Jeffrey Yasskin_web_614 leaves the room
[13:48:11] <Julia Len_web_961> "Question: why is encrypt-then-hmac less efficient than hash key check?" @Scott Fluhrer: encrypt-then-hmac is still a great option but some of these polynomial MACs like GHASH and Poly1305 are a bit faster so others might prefer those.
[13:48:41] <Steven Valdez_web_253> Not sure if the lack of proof for the naive construction is a problem? Since all of these need some sort of key commitment somewhere and the key commitment for the naive one just contains all the keys.
[13:49:02] <Julia Len_web_961> "If HMAC is less efficient would using KMAC make up the difference?" @Robert Moskowitz: We haven't looked into KMAC but that
[13:49:11] <Julia Len_web_961> is a great suggestion and something we'll look into
[13:49:24] <Nick Sullivan_web_828> Note for Chris: the term "Attribute-Based" might be confused with Attribute-Based Encryption, which does use pairings.
[13:49:45] <Robert Moskowitz> HMAC is 2 SHA operations.  KMAC is 1 sponge operation.
[13:50:31] Randy Bush_web_661 leaves the room
[13:50:37] <Scott Fluhrer_web_853> Is one 1 sponge operation cheaper than 2 SHA compression ops?  Not sure, but I wouldn't think so...
[13:51:25] <Robert Moskowitz> with sha-256 = SHAKE in performance, I would say so.
[13:51:30] <Alex Davidson_web_181> > Note for Chris: the term "Attribute-Based" might be confused with Attribute-Based Encryption, which does use pairings.Attribute-based encryption is only linked to pairings in as much as there are constructions from pairings. There are also constructions from LWE.
[13:51:50] <Julia Len_web_961> "is OCB-3 committing?" @Watson Ladd: it's not. see here (https://eprint.iacr.org/2020/1456.pdf)
[13:51:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[13:51:58] athompson joins the room
[13:52:03] Chonggang Wang_web_830 leaves the room
[13:52:36] <Watson Ladd_web_677> thanks
[13:53:03] <Nick Sullivan_web_828> Thanks, Alex
[13:53:51] athompson leaves the room: Disconnected: BOSH client silent for over 60 seconds
[13:53:58] athompson joins the room
[13:55:44] <Julia Len_web_961> "I believe (perhaps incorrectly) that this attack relies on the attacker knowing that only a subset of the keyspace is actually in use" @Benjamin Schwartz: this is correct. This attack is useful for low-entropy keys, like passwords. It does rely on the attacker having something like a leaked password dataset with likely passwords
[13:55:45] Ira McDonald_web_476 leaves the room
[13:56:27] <Benjamin Schwartz_web_563> @Julia it sounds like 64 bits might be the right minimum entropy for some applications, if the construction is O(k^2)
[13:56:41] <Benjamin Schwartz_web_563> Or more generally, keysize/2
[13:56:50] David Oliver_web_760 leaves the room
[13:57:21] <Benjamin Schwartz_web_563> (Needs more thought...)
[13:58:32] Sergey Myasoedov_web_590 leaves the room
[13:58:47] <Julia Len_web_961> I should add that there do exist faster algorithms that can make these ciphertexts in O(k * log^2 k). I agree, it deserves more thought.
[13:59:04] <Watson Ladd_web_677> it's a vandermonde matrix right?
[13:59:16] <Julia Len_web_961> yes that's right
[13:59:17] Peter Koch_web_686 leaves the room
[13:59:19] <Alexey Melnikov_web_593> Or email chairs if you are interested in PHB's topic
[13:59:25] Sofia Celi_web_327 leaves the room
[13:59:25] Colin Perkins_web_414 leaves the room
[13:59:33] Colin Perkins_web_890 joins the room
[13:59:33] <Kirsty Paine_web_375> maybe if you can make your work fit a privacy pass requirement, that would work PHB...
[13:59:40] <Phillip Hallam-Baker_web_488> t was not just me.
[13:59:43] Jean-Michel Combes_web_518 leaves the room
[13:59:54] Yoshiro Yoneya leaves the room
[14:00:18] <Phillip Hallam-Baker_web_488> Of course if you wait a year, momentum is lost and people forget what the proposal was
[14:00:34] <Phillip Hallam-Baker_web_488> privacy pass requirement?
[14:00:47] Mike Bishop_web_600 leaves the room
[14:00:47] Zachary Newman_web_628 leaves the room
[14:00:50] Chelsea Komlo_web_603 leaves the room
[14:00:51] Hugo Kobayashi_web_690 leaves the room
[14:00:51] Nick Sullivan_web_828 leaves the room
[14:00:51] Martin Thomson_web_798 leaves the room
[14:00:52] Joseph Salowey_web_482 leaves the room
[14:00:52] Kyle Hogan_web_292 leaves the room
[14:00:53] Christopher Wood_web_994 leaves the room
[14:00:53] Dmitry Belyavskiy_web_493 leaves the room
[14:00:53] Tero Kivinen_web_539 leaves the room
[14:00:53] Jonathan Hammell_web_232 leaves the room
[14:00:54] Alyssa Thompson_web_691 leaves the room
[14:00:54] <Robin Wilton_web_103> Thanks everyone!
[14:00:54] Chris Lemmons_web_873 leaves the room
[14:00:55] Luigi Iannone_web_268 leaves the room
[14:00:55] Scott Fluhrer_web_853 leaves the room
[14:00:56] Dan Harkins_web_587 leaves the room
[14:00:56] Benjamin Kaduk_web_822 leaves the room
[14:00:56] Watson Ladd_web_677 leaves the room
[14:00:56] Tommy Pauly_web_605 leaves the room
[14:00:57] Colin Perkins_web_890 leaves the room
[14:00:58] Georgia Fragkouli_web_960 leaves the room
[14:00:58] Richard Barnes_web_718 leaves the room
[14:00:59] Frederic Jacobs_web_623 leaves the room
[14:00:59] Rich Salz_web_378 leaves the room
[14:00:59] Valery Smyslov_web_128 leaves the room
[14:01:00] <Robert Moskowitz> buy
[14:01:00] Kirsty Paine_web_375 leaves the room
[14:01:00] Yoav Nir_web_699 leaves the room
[14:01:01] Clint McKay_web_936 leaves the room
[14:01:02] Robert Moskowitz leaves the room
[14:01:03] Steffen Klassert_web_143 leaves the room
[14:01:03] cw-ietf leaves the room
[14:01:04] Matthew Finkel_web_949 leaves the room
[14:01:06] Bill Munyan_web_635 leaves the room
[14:01:07] Julia Len_web_961 leaves the room
[14:01:08] Alex Davidson_web_181 leaves the room
[14:01:08] Dan McArdle_web_951 leaves the room
[14:01:08] Göran Selander_web_193 leaves the room
[14:01:08] Robert Moskowitz_web_995 leaves the room
[14:01:09] Steven Valdez_web_253 leaves the room
[14:01:10] Christian Elmerot_web_443 leaves the room
[14:01:12] Nasrul Zikri_web_174 leaves the room
[14:01:16] Burt Kaliski_web_975 leaves the room
[14:01:20] Yunchul Choi_web_427 leaves the room
[14:01:21] Björn Haase_web_235 leaves the room
[14:01:22] Stanislav Smyshlyaev_web_315 leaves the room
[14:01:23] Akbar Rahman_web_383 leaves the room
[14:01:24] Russ Housley_web_509 leaves the room
[14:01:30] Park Jung-Soo_web_263 leaves the room
[14:01:31] Giles Van Assche_web_518 leaves the room
[14:01:31] Shu-Fang Hsu_web_197 leaves the room
[14:01:41] Jan Včelák_web_699 leaves the room
[14:01:41] Benjamin Schwartz_web_563 leaves the room
[14:01:42] John Preuß Mattsson_web_784 leaves the room
[14:01:45] Michael StJohns_web_745 leaves the room
[14:01:49] Alexey Melnikov_web_593 leaves the room
[14:01:58] Kyle Hogan leaves the room: Disconnected: BOSH client silent for over 60 seconds
[14:02:04] athompson leaves the room
[14:02:15] Yumi Sakemi_web_770 leaves the room
[14:02:23] sofia celi leaves the room
[14:02:44] Thomas Fossati_web_347 leaves the room
[14:03:02] Justus Winter_web_834 leaves the room
[14:03:06] Armando Faz-Hernández_web_962 leaves the room
[14:03:25] Tadahiko Ito_web_426 leaves the room
[14:03:38] Deb Cooley_web_989 leaves the room
[14:03:48] Phillip Hallam-Baker_web_488 leaves the room
[14:04:00] Kyle Rose_web_162 leaves the room
[14:05:25] Meetecho leaves the room
[14:06:38] Robin Wilton_web_103 leaves the room
[14:06:38] Stephen Farrell_web_948 leaves the room
[14:06:38] Stuart Card_web_271 leaves the room
[14:06:38] Stavros Kousidis_web_454 leaves the room
[14:06:38] Jonathan Hoyland_web_159 leaves the room
[14:06:38] Quynh Dang_web_720 leaves the room
[14:06:38] Daniel Migault_web_959 leaves the room
[14:06:38] Paolo Saviano_web_873 leaves the room
[14:06:38] Jon Hudson_web_600 leaves the room
[14:06:38] Brad Gorman_web_509 leaves the room
[14:06:38] Rob Austein_web_744 leaves the room
[14:06:38] Taiji Kimura_web_300 leaves the room
[14:12:14] sftcd leaves the room
[14:14:08] sofia celi joins the room
[14:20:14] sofia celi leaves the room
[14:22:22] sofia celi joins the room
[14:35:49] kaduk@jabber.org/barnowl leaves the room
[16:16:59] Mike StJohns leaves the room
[16:25:16] jhoyla leaves the room
[16:26:27] jhoyla joins the room
[17:59:57] sofia celi leaves the room
[18:02:25] jhoyla leaves the room
[18:08:24] sofia celi joins the room
[18:09:52] sofia celi leaves the room
[18:54:57] sofia celi joins the room
[19:25:37] sofia celi leaves the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!