Crypto Forum Research Group Minutes from IETF 87 Meeting Randomized hashing ---------------------------- After the presentation by Quynh Deng on randomized hashing, a poll was taken of the room on the whether the CFRG should encourage the use of randomized hashing. About 50% of the room supported this. Two points were raised: 1) The CFRG is a research group, supporting a hook for Randomized Hashing in future protocols amounts to little more than building in a2 octet TLV withe the length set to zero. If at some future time RH becomes necessary, the TLV, now with non-zero length, would support a rapid transition to Randomized Hashing. 2) There are many other areas, many more pressing than RH, where a little foresight now could avoid cryptographic catastrophes. An excellent point, we hope the mailing list will help us identify such opportunities to mitigate potential and existing problems. Review of Drafts in Progress -------------------------------------- 1) OCB mode: the authors are reworking the draft, incorporating suggestions made on the mailing list. We anticipate this moving quickly through Last Call. , 2) DRAGONFLY PBAKE: The author is working on a new (and hopefully final) draft. In response to questions from the audience it became clear that in some applications the password will be manually entered by a human, but in other applications, particularly 802.15.9, the password might be pre-programmed into the device, effectively making it a pre- shared key. 3) Hash Based Signatures: feedback to date positive, draft undergoing revision, to include some exemplar code. 4) Survey of IETF Usage of Symmetric key Encryption Algorithms: nearing completion. Added Salsa 20, cleaning up in preparation for a new submission. The RG thanked the author ( Sean Shen) for his diligence and perseverance. Presentation on SM2 ---------------------------- Sean Shen is working on a draft translating the SM2standard from the original Chinese to English. It is very similar to ECDSA, but not close enough to allow for code reuse. It also lists some new elliptic curves, one of which is the Chinese standard curve. He pointed out that in China there is a distinction between industrial standards and national standards. Draft nearly complete, just cleaning up typos etc. He does not believe the curves were generated from a randomly selected seed. Draft on Selection of Cipher Standards --------------------------------------------------- This is an effort to use a little foresight now to avoid future disaster. Currently the IETF is heavily invested in the use of AES. Though there is at present no reason to believe there is a problem with AES, the authors feel it would be prudent to plan ahead. The first step on this path is agreeing upon a list of properties the AES replacement should have. A good starting point is the original AES design criteria, but additionally we might add some extra criteria: 1) Built on a cryptographic philosophy radically different from thatvo AES to minimize the chance a single new family of cryptanalytic attacks devastating both AES and the replacement algorithm simultaneously. 2) As nearly as possible, make the replacement algorithm a drop- in replacement for AES, both in hardware and software. It was pointed out that there is a basic incompatibility between these two goals, especially at the hardware level. Even a seemingly trivial change will require the fabrication of new chips. However the higher one goes in the stack, the more likely that one can achieve both goals simultaneously. At this point time ran out, so the Chairs requested folks take the discussion to the mailing list.