This repository includes the source material for the CFRG PAKE selection process (summer of 2019), and a summary of the published reviews of the 8 candidates.
| Name | Submitters | Round 2 | Authoritative Source | Additional Content | Comments |
|---|---|---|---|---|---|
| SPAKE2 | Benjamin Kaduk, Watson Ladd | ✓ | draft-irtf-cfrg-spake2-09 (updated) | Requirements | |
| J-PAKE | Feng Hao | RFC8236 | Requirements | ||
| SPEKE | Dan Harkins | https://eprint.iacr.org/2014/585 | Requirements | Submitter note: The only thing to add is that when SPEKE is used with ECC a hash-to-curve method from the RFC that comes out of the CFRG (when it comes out of the CFRG) is necessary to produce the secret generator that SPEKE requires. | |
| CPace | Björn Haase | ✓ | https://eprint.iacr.org/2018/286 (updated) | Addendum Corrigendum Simulator Code |
| Name | Submitters | Round 2 | Authoritative Source | Additional Content | Comments |
|---|---|---|---|---|---|
| OPAQUE | Hugo Krawczyk | ✓ | draft-krawczyk-cfrg-opaque-03 | Requirements | |
| AuCPace | Björn Haase | ✓ | https://eprint.iacr.org/2018/286 (updated) | Addendum Corrigendum Simulator Code |
|
| VTBPEKE | Guilin Wang | https://www.di.ens.fr/david.pointcheval/Documents/Papers/2017_asiaccsB.pdf | Requirements | ||
| BSPAKE | Steve Thomas | Information Requirements |
The table below lists all reviews submitted to the CFRG mailing list. We mention only the first message of each mail thread. Reviewers who feel the initial does not reflect their latest position are requested to provide feedback (see below), preferably with a single message/file that covers their entire review.
The table below lists all overall reviews submitted by the Crypto Review Panel members during Stage 5 of the PAKE selection process.
| Author | Link |
|---|---|
| Bjoern Tackmann | https://mailarchive.ietf.org/arch/msg/cfrg/1sNu9USxo1lnFdzCL5msUFKBjzM |
| Stanislav Smyshlyaev | https://docs.google.com/document/d/1-vzeCtSrm7zfoolr1JQdNqtp6KrtVEjitkH0OmjKapc/edit?usp=sharing |
| Russ Housley | https://docs.google.com/document/d/1L6lqueEB70C4QptEnjfWx-bhBdg6cT73ymmmm9WUAR0/edit?usp=sharing |
| Yaron Sheffer | review |
- (to SPAKE2): Can you propose a modification of SPAKE2 (preserving all existing good properties of PAKE2) with a correspondingly updated security proof, addressing the issue of a single discrete log relationship necessary for the security of all sessions (e.g., solution based on using M=hash2curve(A|B), N=hash2curve(B|A))?
- (to CPace and AuCPace): Can you propose a modification of CPace and AuCPace (preserving all existing good properties of these PAKEs) with a correspondingly updated security proof (maybe, in some other security models), addressing the issue of requiring the establishment of a session identifier (sid) during each call of the protocol for the cost of one additional message?
- (to all 4 remaining PAKEs) : Can the nominators/developers of the protocols please re-evaluate possible IPR conflicts between their candidates protocols and own and foreign patents? Specifically, can you discuss the impact of U.S. Patent 7,047,408 (expected expiration 10th of march 2023) on free use of SPAKE2 and the impact of EP1847062B1 (HMQV, expected expiration October 2026) on the free use of the RFC-drafts for OPAQUE?
- (to all 4 remaining PAKEs) What can be said about the property of "quantum annoyance" (an attacker with a quantum computer needs to solve [one or more] DLP per password guess) of the PAKE?
- (to all 4 remaining PAKEs) What can be said about "post-quantum preparedness" of the PAKE?
Related information on IPR (SPAKE2): https://datatracker.ietf.org/ipr/4018/
The table below lists all overall reviews submitted by the Crypto Review Panel members during Stage 5 of the PAKE selection process.
To update the base material for a PAKE candidate or any of the reviews, please open an issue or, better yet, submit a pull request. Any substantial change should be reported to the CFRG mailing list. Please include a link to the mailing list post.