Minutes IETF118: cfrg: Thu 14:00
minutes-118-cfrg-202311091400-00
Meeting Minutes | Crypto Forum (cfrg) RG | |
---|---|---|
Date and time | 2023-11-09 14:00 | |
Title | Minutes IETF118: cfrg: Thu 14:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2023-11-12 |
CFRG - Crypto Forum Research Group
IETF 118 in Prague
Thursday November 9, 2023, 15:00-16:30 (UTC + 1)
Meetecho:
https://meetings.conf.meetecho.com/ietf118/?group=cfrg&short=&item=1
Notes: https://notes.ietf.org/notes-ietf-118-cfrg
Chairs: Stanislav Smyshlyaev (SS), Nick Sullivan (NS), and Alexey
Melnikov (AM)
Note-taker:
15:00 - Chairs' update (5 mins).
Four new RFCs.
15:05 - Chris Patton, "VDAF" (10+5 mins)
Ready for RGLC. Needed by IETF PPM WG.
Open questions: GitHub issues #299, #306, #287, and #110.
Ask for editorial reviews as well.
Simon: Is Poplar1 adequately reviewed?
Chris: Not as well reviewed as Prio3, but it will probably stay.
15:20 - Vasilis Kalos, "The BBS Signature Scheme" (10+5 mins)
The BBS Signature Scheme is very stable and well reviewed. Working on
Blind BBS signatures, but wonder whether it should be added to the base
document or put in a separate one.
Chris: Does anyone in the IETF need this work?
Vasilis: Interest from outside the IETF, and once published there may be
others.
Orie: It is useful in the COSE CWT.
Unknown: Useful for credentialing system so that you do not need a
separate one for each verifier.
15:35 - Andrey Bozhko, "Properties of AEAD algorithms" (5+5 mins)
Want to add discussion of indeferentiability.
Jonathan: Still interested in verification without decryption.
Andrey: I rememeber.
Chris: I was interested in indeferentiability, but it is a different
paradigm.
Chris: Do you need both full commitment and key commitment?
Andrey: Full commitement is harder to achieve, so they need to both be
discussed.
Chris: Maybe few choices is better for non-cryptographers.
15:45 - Alexander Dax, "How Subtle AEAD Differences can Impact Protocol Security" (10+5 mins)
Many ways to misunderstand and misuse AEADs.
The researchers identify three big theoretical classes, that also allow
to capture most practical attacks: (1) Integrity and Privacy, (2)
Collision Resistance, and (3) Nonce Reuse.
Andrey: What are your future plans? Can you help with
draft-irtf-cfrg-aead-properties?
Alex: Want to look at other primatives, not just AEAD. Willing to talk
about your draft.
16:00 - Dimitris Mouris, "The Mastic VDAF" (10+3 mins)
One-hot verifiability and path verifiability together thwart a malicious
client.
Chris Wood: What about multiple cooperating malicious clients?
Dimitris: Need to do more investigation about multiple cooperating
malicious clients. The run time would not be increased.
Chris Patton: More flexible than Poplar. Need to finish the analysis.
16:13 - Hubert Kario, "Implementation Guidance for the PKCS#1 RSA Cryptography Specification" (10+3 mins)
Improvements in detecting side channels over the network in RSA using
PKCS#1 v1.5.
Chris: What is the function of this draft?
Hubert: Stop using RSA using PKCS#1 v1.5. Also, give something to move
to.
Chris: Ready for adoption call?
Hubert: Yes.
Bob: We have old hardware in aviation industry. Hard to move in those
environments.
16:26 - David Joseph, "Batched Signatures" (4 mins)
Want to make you aware of this work. Build a Merkle Tree, and then sign
the root. Others have worked on similar ideas, and want to bring them
all together in the CFRG.
Chris Wood: Not specific to any particular signature algorithm?
David: Correct.
Orie: A construction similar to this is being used in SCITT.
Chris: Does this make a difference for post-quantum?
David: Want your usecases to consider.
SS: The chairs are planning to announce RGLCs for the two selected PAKEs
soon.