![](\"/user_uploads/2/2d/9oA2q-y0SZLkyTTA80pth6rO/image.png\")
Also not seeing video from the room
", "time": "2022-07-25T14:00:37Z"}, {"author": "Bj\u00f6rn Haase", "text": "when using the \"Test local speakers\" button in the web frontend, I hear a bell , though .
", "time": "2022-07-25T14:00:39Z"}, {"author": "Jonathan Hoyland", "text": "I can't hear any sound either.
", "time": "2022-07-25T14:00:46Z"}, {"author": "Colin Perkins", "text": "Working
", "time": "2022-07-25T14:00:51Z"}, {"author": "Nat Meysenburg", "text": "I hear that test.
", "time": "2022-07-25T14:00:52Z"}, {"author": "Randy Bush", "text": "heard paolo
", "time": "2022-07-25T14:00:53Z"}, {"author": "Rob Austein", "text": "Got it
", "time": "2022-07-25T14:00:54Z"}, {"author": "Andrei Popov", "text": "Yes!
", "time": "2022-07-25T14:00:54Z"}, {"author": "Bj\u00f6rn Haase", "text": "Should there be some video from the room?
", "time": "2022-07-25T14:00:56Z"}, {"author": "Jonathan Hoyland", "text": "I can hear Paolo
", "time": "2022-07-25T14:00:56Z"}, {"author": "Stanislav Smyshlyaev", "text": "Yes, now it's working.
", "time": "2022-07-25T14:00:58Z"}, {"author": "Randy Bush", "text": "thank you
", "time": "2022-07-25T14:01:05Z"}, {"author": "Bj\u00f6rn Haase", "text": "I don't still hear anything.
", "time": "2022-07-25T14:01:10Z"}, {"author": "Christopher Patton", "text": "good monring everyone
", "time": "2022-07-25T14:01:10Z"}, {"author": "Rich Salz", "text": "Looks like @meetecho still trying to get things up and runnign
", "time": "2022-07-25T14:01:27Z"}, {"author": "Rob Austein", "text": "Well, it was working for a few seconds of \"test test one two three..\"
", "time": "2022-07-25T14:01:29Z"}, {"author": "Stanislav Smyshlyaev", "text": "But I still don't hear Alexey or anyone from the room
", "time": "2022-07-25T14:01:42Z"}, {"author": "Stanislav Smyshlyaev", "text": "No video either.
", "time": "2022-07-25T14:01:51Z"}, {"author": "Alexey Melnikov", "text": "The video is off, at least from me.
", "time": "2022-07-25T14:02:15Z"}, {"author": "Bj\u00f6rn Haase", "text": "And there has not been any sound on my side so far.
", "time": "2022-07-25T14:02:30Z"}, {"author": "Colin Perkins", "text": "I see Alexey
", "time": "2022-07-25T14:02:58Z"}, {"author": "Alexey Melnikov", "text": "Can you hear Nick?
", "time": "2022-07-25T14:02:58Z"}, {"author": "Jonathan Hoyland", "text": "No
", "time": "2022-07-25T14:03:08Z"}, {"author": "Bj\u00f6rn Haase", "text": "No.
", "time": "2022-07-25T14:03:25Z"}, {"author": "Rob Austein", "text": "I see video that claims to be Alexey
", "time": "2022-07-25T14:03:31Z"}, {"author": "Nasrul Zikri", "text": "Has the session started?
", "time": "2022-07-25T14:03:31Z"}, {"author": "Rob Austein", "text": "Still no audio
", "time": "2022-07-25T14:03:39Z"}, {"author": "Alexey Melnikov", "text": "Fixing sound problems for remotes
", "time": "2022-07-25T14:03:55Z"}, {"author": "Jonathan Hoyland", "text": "I'm getting some weird audio artefact
", "time": "2022-07-25T14:03:56Z"}, {"author": "Nick Sullivan", "text": "Meetecho support is working on connecting the room to remote participants.
", "time": "2022-07-25T14:04:02Z"}, {"author": "Bj\u00f6rn Haase", "text": "No audio, no video, but I see the chair's title slide.
", "time": "2022-07-25T14:04:10Z"}, {"author": "Alexey Melnikov", "text": "Meetecho people are looking into this
", "time": "2022-07-25T14:04:13Z"}, {"author": "Nick Sullivan", "text": "Thank you for your patience. First session of the week.
", "time": "2022-07-25T14:05:06Z"}, {"author": "Bj\u00f6rn Haase", "text": "The audio stream information close to your chair's photos reports \"0 kbps\"
", "time": "2022-07-25T14:05:22Z"}, {"author": "Randy Bush", "text": "i see about 224
", "time": "2022-07-25T14:05:51Z"}, {"author": "Rob Austein", "text": "Hmm. On my (still silent) remote it reports 205 and 218 kbps
", "time": "2022-07-25T14:05:57Z"}, {"author": "Rob Austein", "text": "Sounds like there's a general problem and perhaps a special bonus Bjorn problem
", "time": "2022-07-25T14:06:35Z"}, {"author": "Christian Veenman", "text": "It says audio in: 3 kbps here
", "time": "2022-07-25T14:07:32Z"}, {"author": "Nat Meysenburg", "text": "That's what I'm seeing as well.
", "time": "2022-07-25T14:08:23Z"}, {"author": "Scott Arciszewski", "text": "I see 12 kbps and have video/slides, no audio
", "time": "2022-07-25T14:08:26Z"}, {"author": "Nat Meysenburg", "text": "I have two videos, slides, but no audio.
", "time": "2022-07-25T14:08:51Z"}, {"author": "Randy Bush", "text": "i just heard a waterfall for a few seconds
", "time": "2022-07-25T14:08:55Z"}, {"author": "Shan Wang", "text": "same here
", "time": "2022-07-25T14:09:37Z"}, {"author": "Bj\u00f6rn Haase", "text": "Anybody remote having sound?
", "time": "2022-07-25T14:10:03Z"}, {"author": "Scott Arciszewski", "text": "I'm remote, and no. I did hear a brief white noise but that could have been an attendee rather than one of the speakers.
", "time": "2022-07-25T14:10:27Z"}, {"author": "Jonathan Hoyland", "text": "Only various pops and crackles
", "time": "2022-07-25T14:10:32Z"}, {"author": "Ira McDonald", "text": "No audio
", "time": "2022-07-25T14:10:44Z"}, {"author": "Nick Sullivan", "text": "The white noise was the tech team working with the presenter mic.
", "time": "2022-07-25T14:11:01Z"}, {"author": "Scott Arciszewski", "text": "Understood. Thanks Nick.
", "time": "2022-07-25T14:11:10Z"}, {"author": "Alexey Melnikov", "text": "Can remote here the test?
", "time": "2022-07-25T14:14:54Z"}, {"author": "Jonathan Hoyland", "text": "I can hear windchimes?
", "time": "2022-07-25T14:15:01Z"}, {"author": "Rob Austein", "text": "Nada
", "time": "2022-07-25T14:15:08Z"}, {"author": "Shan Wang", "text": "nope
", "time": "2022-07-25T14:15:13Z"}, {"author": "Bj\u00f6rn Haase", "text": "did not hear anything not even noise.
", "time": "2022-07-25T14:15:15Z"}, {"author": "Jonathan Hoyland", "text": "Or maybe crinkling paper?
", "time": "2022-07-25T14:15:18Z"}, {"author": "Thom Wiggers", "text": "Zero
", "time": "2022-07-25T14:15:22Z"}, {"author": "Scott Arciszewski", "text": "Still silent here
", "time": "2022-07-25T14:15:29Z"}, {"author": "Nick Sullivan", "text": "Sincere apologies for the technical difficulties.
", "time": "2022-07-25T14:15:40Z"}, {"author": "Scott Arciszewski", "text": "Hear you
", "time": "2022-07-25T14:15:56Z"}, {"author": "Rob Austein", "text": "Noise!
", "time": "2022-07-25T14:15:58Z"}, {"author": "Jonathan Hoyland", "text": "Sound!
", "time": "2022-07-25T14:15:58Z"}, {"author": "Christopher Patton", "text": "we hea ryou
", "time": "2022-07-25T14:16:00Z"}, {"author": "Thom Wiggers", "text": "test 123 coming through
", "time": "2022-07-25T14:16:03Z"}, {"author": "Randy Bush", "text": "w00t!
", "time": "2022-07-25T14:16:04Z"}, {"author": "Shan Wang", "text": "heard the test123
", "time": "2022-07-25T14:16:06Z"}, {"author": "Bj\u00f6rn Haase", "text": "(No sound still ...)
", "time": "2022-07-25T14:16:15Z"}, {"author": "Rob Austein", "text": "Silent again, say something :)
", "time": "2022-07-25T14:16:22Z"}, {"author": "Jonathan Hoyland", "text": "But now I don't have video :sweat_smile:
", "time": "2022-07-25T14:16:23Z"}, {"author": "Guilin WANG", "text": "Just can hear \"test\" now!
", "time": "2022-07-25T14:17:27Z"}, {"author": "Guilin WANG", "text": "Once thought laptop was not working well ...
", "time": "2022-07-25T14:18:09Z"}, {"author": "Thom Wiggers", "text": "test 123 again
", "time": "2022-07-25T14:19:36Z"}, {"author": "Bas Westerbaan", "text": "Hear you.
", "time": "2022-07-25T14:19:37Z"}, {"author": "Gabriel Andrews", "text": "Can hear this, yes.
", "time": "2022-07-25T14:19:37Z"}, {"author": "Rob Austein", "text": "Hear test
", "time": "2022-07-25T14:19:39Z"}, {"author": "Jonathan Hoyland", "text": "We hear you
", "time": "2022-07-25T14:19:40Z"}, {"author": "Scott Arciszewski", "text": "I can hear Paolo
", "time": "2022-07-25T14:19:43Z"}, {"author": "Rob Austein", "text": "Now silent again
", "time": "2022-07-25T14:19:49Z"}, {"author": "Jonathan Hoyland", "text": "Although we can't be sure it's fresh
", "time": "2022-07-25T14:19:51Z"}, {"author": "Jonathan Hoyland", "text": "Maybe we need a nonce in the test string?^
", "time": "2022-07-25T14:19:58Z"}, {"author": "Alexey Melnikov", "text": "It is fresh
", "time": "2022-07-25T14:20:01Z"}, {"author": "Bj\u00f6rn Haase", "text": "not hearing anything.
", "time": "2022-07-25T14:20:03Z"}, {"author": "Guilin WANG", "text": "can here \"123\", though a little noise as well
", "time": "2022-07-25T14:20:04Z"}, {"author": "Christopher Patton", "text": "Maybe everyone should try dropping out and logging back in?
", "time": "2022-07-25T14:20:05Z"}, {"author": "Scott Arciszewski", "text": "Jonathan, isn't that what \"123\" was? (I guess nonce reuse is a concern as always.)
", "time": "2022-07-25T14:20:18Z"}, {"author": "Christopher Patton", "text": "if half the group can hear but the other half can't/
", "time": "2022-07-25T14:20:21Z"}, {"author": "Alexey Melnikov", "text": "The audio problem is with a mixer on our end (in the meeting room)
", "time": "2022-07-25T14:20:33Z"}, {"author": "Lorenzo Miniero", "text": "Christopher: no need, it's an issue with the audio streamer, not participants
", "time": "2022-07-25T14:20:35Z"}, {"author": "Christopher Patton", "text": "but it sounds like folks are claiming that they can't hear while other can...
", "time": "2022-07-25T14:20:58Z"}, {"author": "Jonathan Hoyland", "text": "123 was in every test so far
", "time": "2022-07-25T14:21:01Z"}, {"author": "Scott Arciszewski", "text": "Jonathan: I know, it was a joke :)
", "time": "2022-07-25T14:21:16Z"}, {"author": "Jonathan Hoyland", "text": "So it could be predicted by a malicious attacker.
", "time": "2022-07-25T14:21:16Z"}, {"author": "Christopher Patton", "text": "Is there any other type of attacker?
", "time": "2022-07-25T14:21:29Z"}, {"author": "Jonathan Hoyland", "text": "Also even assuming it was in hex it's a very short nonce
", "time": "2022-07-25T14:21:43Z"}, {"author": "Lorenzo Miniero", "text": "They can remote speakers, which means the audio channel with the server is there: the problem is in capturing local audio and sending it to the server, which is why you can hear Paolo and Paolo can't hear the room
", "time": "2022-07-25T14:21:45Z"}, {"author": "Jonathan Hoyland", "text": "Honest but curious of course @ChrisP
", "time": "2022-07-25T14:21:55Z"}, {"author": "Bj\u00f6rn Haase", "text": "OK. Seems not to work for me. Hopefully the sound in the recording will do.
", "time": "2022-07-25T14:22:02Z"}, {"author": "Nick Sullivan", "text": "I'm going to test my local laptop as a way to present local presenters online.
", "time": "2022-07-25T14:24:52Z"}, {"author": "Bas Westerbaan", "text": "Was a bit choppy at the start.
", "time": "2022-07-25T14:25:08Z"}, {"author": "Christopher Patton", "text": "we can hear nick
", "time": "2022-07-25T14:25:08Z"}, {"author": "Scott Arciszewski", "text": "I hear you, Nick
", "time": "2022-07-25T14:25:08Z"}, {"author": "Shan Wang", "text": "yes!
", "time": "2022-07-25T14:25:11Z"}, {"author": "Rob Austein", "text": "Blah blah heard
", "time": "2022-07-25T14:25:12Z"}, {"author": "Randy Bush", "text": "ack
", "time": "2022-07-25T14:25:13Z"}, {"author": "Massimiliano Pala", "text": "yes
", "time": "2022-07-25T14:25:17Z"}, {"author": "Stefan-Lukas Gazdag", "text": "yeah, works for me
", "time": "2022-07-25T14:25:20Z"}, {"author": "Jonathan Hoyland", "text": "Still no nonce
", "time": "2022-07-25T14:25:27Z"}, {"author": "Jonathan Hoyland", "text": "And we're back to waterfall
", "time": "2022-07-25T14:25:48Z"}, {"author": "Randy Bush", "text": "but no bears
", "time": "2022-07-25T14:26:06Z"}, {"author": "Nat Meysenburg", "text": "i heard the test. now back to silence and 0kps audio fror me.
", "time": "2022-07-25T14:26:10Z"}, {"author": "Alexey Melnikov", "text": "We will start doing stuff through Nick's laptop
", "time": "2022-07-25T14:26:41Z"}, {"author": "Rich Salz", "text": "Hey @Stanislav Smyshlyaev what time is it where you are?
", "time": "2022-07-25T14:26:44Z"}, {"author": "Stanislav Smyshlyaev", "text": "5:27 pm :)
", "time": "2022-07-25T14:27:18Z"}, {"author": "Randy Bush", "text": "@rich: it's asia which is hard time
", "time": "2022-07-25T14:28:03Z"}, {"author": "Jonathan Hoyland", "text": "Wow, so many folks in the room
", "time": "2022-07-25T14:28:03Z"}, {"author": "Bj\u00f6rn Haase", "text": "CPace draft is just updated yesterday.
", "time": "2022-07-25T14:28:35Z"}, {"author": "Bj\u00f6rn Haase", "text": "(Version 06)
", "time": "2022-07-25T14:28:41Z"}, {"author": "Jonathan Hoyland", "text": "Check 1 check 2
", "time": "2022-07-25T14:29:05Z"}, {"author": "Rob Austein", "text": "check heard
", "time": "2022-07-25T14:29:06Z"}, {"author": "Steffen Fries", "text": "yes
", "time": "2022-07-25T14:29:20Z"}, {"author": "Massimiliano Pala", "text": "Yes
", "time": "2022-07-25T14:29:21Z"}, {"author": "Nat Meysenburg", "text": "yes.
", "time": "2022-07-25T14:29:22Z"}, {"author": "Rob Austein", "text": "Test one two three
", "time": "2022-07-25T14:29:24Z"}, {"author": "Bj\u00f6rn Haase", "text": "no.
", "time": "2022-07-25T14:29:25Z"}, {"author": "Alexey Melnikov", "text": "@Bj\u00f6rn: Noted
", "time": "2022-07-25T14:29:26Z"}, {"author": "Scott Arciszewski", "text": "Yes we can hear you
", "time": "2022-07-25T14:29:26Z"}, {"author": "Randy Bush", "text": "we can hear you
", "time": "2022-07-25T14:29:29Z"}, {"author": "Shan Wang", "text": "yes
", "time": "2022-07-25T14:29:29Z"}, {"author": "Nat Meysenburg", "text": "yea
", "time": "2022-07-25T14:29:44Z"}, {"author": "Steffen Fries", "text": "yes
", "time": "2022-07-25T14:29:44Z"}, {"author": "Randy Bush", "text": "yes
", "time": "2022-07-25T14:29:44Z"}, {"author": "Scott Arciszewski", "text": "I hear the chair's mic
", "time": "2022-07-25T14:29:46Z"}, {"author": "Christopher Patton", "text": "we hear chair mic
", "time": "2022-07-25T14:29:46Z"}, {"author": "Alexey Melnikov", "text": "Can you hear Nick just now?
", "time": "2022-07-25T14:29:48Z"}, {"author": "Jonathan Hoyland", "text": "Quite quiet though
", "time": "2022-07-25T14:29:52Z"}, {"author": "Nick Sullivan", "text": "Can you hear Alexey?
", "time": "2022-07-25T14:30:16Z"}, {"author": "Scott Arciszewski", "text": "I hear Alexey
", "time": "2022-07-25T14:30:23Z"}, {"author": "Nick Sullivan", "text": "ok, we're starting. Seems like things have been resolved.
", "time": "2022-07-25T14:30:38Z"}, {"author": "Christopher Patton", "text": "AEGIS would be a great tool to have in our pocket :)
", "time": "2022-07-25T14:32:06Z"}, {"author": "Martin Thomson", "text": "A lot of people are asking why we need yet another cipher. I mean, AEGIS has a lot of desirable properties, but that alone isn't justification for doing another.
", "time": "2022-07-25T14:32:59Z"}, {"author": "Bj\u00f6rn Haase", "text": "No not for me :-(
", "time": "2022-07-25T14:33:03Z"}, {"author": "Christopher Patton", "text": "MT that's a fair question.
", "time": "2022-07-25T14:34:47Z"}, {"author": "Guilin WANG", "text": "Echo is very clear. Just like two persons are talking.
", "time": "2022-07-25T14:39:05Z"}, {"author": "Rob Austein", "text": "Not hearing any echo. Audio has been fine since original problem fixed and chair mike volume adjusted
", "time": "2022-07-25T14:39:50Z"}, {"author": "Guilin WANG", "text": "Sorry, the video streaming is working perfectly now.
", "time": "2022-07-25T14:41:10Z"}, {"author": "Phillip Hallam-Baker", "text": "BBS: Why am I supposed to want to do this? What is the use case?
", "time": "2022-07-25T14:41:13Z"}, {"author": "Jonathan Hoyland", "text": "I can reveal part of my government issued ID
", "time": "2022-07-25T14:42:58Z"}, {"author": "Martin Thomson", "text": "Can the proof be constructed so that it is unlinkable to other proofs given different messages?
", "time": "2022-07-25T14:43:14Z"}, {"author": "Jonathan Hoyland", "text": "If the government is the signer and I am the prover, I can reveal to a checker that I am e.g. > 18, without revealing, e.g. my address.
", "time": "2022-07-25T14:43:38Z"}, {"author": "Martin Thomson", "text": "Damn, slide just answered that...
", "time": "2022-07-25T14:43:41Z"}, {"author": "Martin Thomson", "text": "@Jonathan Hoyland you would need a message that says \">18\", which might be separate to a message that contained your address (or even your date of birth), which means that an attribute system can be hard to scale
", "time": "2022-07-25T14:45:17Z"}, {"author": "Phillip Hallam-Baker", "text": "OK, this does actually fit one of my use cases..
", "time": "2022-07-25T14:45:24Z"}, {"author": "Randy Bush", "text": "could questioners please identify themselves?
", "time": "2022-07-25T14:45:54Z"}, {"author": "Jonathan Hoyland", "text": "@MT yeah, there is work that addresses that point. Formalising Linked-Data based Verifiable Credentials for Selective Disclosure
", "time": "2022-07-25T14:46:01Z"}, {"author": "Jabber", "text": "sftcd: yeah seems like a thing doing this could be used
", "time": "2022-07-25T14:46:15Z"}, {"author": "Jonathan Hoyland", "text": "@MT I can find slides, but not a free version of the paper https://ssr2022.com/slides/FormalisingLinkedDataBasedVerifiableCredentials.pdf
", "time": "2022-07-25T14:47:12Z"}, {"author": "Jonathan Hoyland", "text": "Are the keys that are pre-generated long-term keys?
", "time": "2022-07-25T14:50:29Z"}, {"author": "Jonathan Hoyland", "text": "(i.e. the same over multiple runs of the protocol)
", "time": "2022-07-25T14:51:02Z"}, {"author": "Armando Faz-Hern\u00e1ndez", "text": "I'm working on a Go implementation of FROST:
\nhttps://github.com/cloudflare/circl/pull/349
I have a C# implementation
", "time": "2022-07-25T14:52:33Z"}, {"author": "Christopher Patton", "text": "What does Ristretto buy us in this context, if we've already worked out the small-subgroup stuff for Ed25519/448?
", "time": "2022-07-25T14:52:51Z"}, {"author": "Christopher Patton", "text": "*Ristretto/Decaf
", "time": "2022-07-25T14:53:22Z"}, {"author": "Nick Sullivan", "text": "@Chris want to ask the question at the mic?
", "time": "2022-07-25T14:53:51Z"}, {"author": "Christopher Patton", "text": "will do if time
", "time": "2022-07-25T14:54:01Z"}, {"author": "Sofia Celi", "text": "In ed25519 or ed448, you have to manually deal with the cofactor (a process that is it sometimes called 'clamping'), with ristretto or decaf you don't
", "time": "2022-07-25T14:54:01Z"}, {"author": "Christopher Patton", "text": "but doens't this come up in the spec?
", "time": "2022-07-25T14:54:18Z"}, {"author": "Christopher Patton", "text": "or is it left to implementations?
", "time": "2022-07-25T14:54:28Z"}, {"author": "Phillip Hallam-Baker", "text": "@Christopher Patton This is an engine, not a protocol. Makes sense to be agile
", "time": "2022-07-25T14:54:34Z"}, {"author": "Sofia Celi", "text": "checking for the cofactor is sometimes 'forgotten' by implementers, so it is better to use something that has it in itself
", "time": "2022-07-25T14:54:39Z"}, {"author": "Martin Thomson", "text": "@Sofia Celi but isn't that worth it for the ability to do Ed25519 verification?
", "time": "2022-07-25T14:54:40Z"}, {"author": "Martin Thomson", "text": "agile is not a useful thing to seek
", "time": "2022-07-25T14:55:15Z"}, {"author": "Rene Struik", "text": "This \"what if implementors forget that 2+2=4\" argument is bull that keeps popping up. Bad!
", "time": "2022-07-25T14:55:25Z"}, {"author": "Armando Faz-Hern\u00e1ndez", "text": "being compatible with EdDSA is the most relevant, from my perspective
", "time": "2022-07-25T14:56:18Z"}, {"author": "Sofia Celi", "text": "@Martin Thomson I don't understand the question. You should essentially be able to do the same operations in ristretto or ed25519
", "time": "2022-07-25T14:56:27Z"}, {"author": "Sofia Celi", "text": "if it is for \"compatibility\" with specs (with RFC8032), then you can have both
", "time": "2022-07-25T14:56:50Z"}, {"author": "Jonathan Hoyland", "text": "Is there an interface for injecting channel bindings into a run of FROST and one for producing a channel binding for a FROST run?
", "time": "2022-07-25T14:57:08Z"}, {"author": "Christopher Patton", "text": "Couldn't the FROST draft just specify the co factor check?
", "time": "2022-07-25T14:58:12Z"}, {"author": "Christopher Patton", "text": "(and include test vectors that enforce the check/)
", "time": "2022-07-25T14:58:54Z"}, {"author": "Alexey Melnikov", "text": "Sorry, the queue is closed. Take your questions to the mailing list, please.
", "time": "2022-07-25T14:58:55Z"}, {"author": "Phillip Hallam-Baker", "text": "If we did a BIS on RFC8032, should add in the non deterministic signatures peice as well.
", "time": "2022-07-25T14:59:03Z"}, {"author": "Martin Thomson", "text": "@Sofia Celi it wasn't a question. I just wish that these things had fewer options. Pick one and make it good. Ed25519 seems good.
", "time": "2022-07-25T14:59:19Z"}, {"author": "Martin Thomson", "text": "So I'm agreeing with @Christopher Patton
", "time": "2022-07-25T14:59:44Z"}, {"author": "Sofia Celi", "text": "@Deirdre Connolly knows better.. but even when the spec specifies the cofactor checks, there has been problems
", "time": "2022-07-25T14:59:53Z"}, {"author": "Benjamin Kaduk", "text": "counting time in increments of 100 nanoseconds feels like it actually gives you just the precision you need and not much more, even if it's not a \"nice\" multiple-of-three-power-of-ten.
", "time": "2022-07-25T15:00:06Z"}, {"author": "Armando Faz-Hern\u00e1ndez", "text": "the issue is that RFC8032 allows several signatures to be valid, FROST is compatible with RFC8032 because verification is untouched.
", "time": "2022-07-25T15:00:35Z"}, {"author": "Martin Thomson", "text": "I know that you can't always detect that everyone is doing the cofactor checks, but you also can't check that they implemented in constant time either or that they didn't publish their secret to Twitter
", "time": "2022-07-25T15:00:42Z"}, {"author": "Scott Arciszewski", "text": "Having a clearer specification that encourages security by default is, in my mind, a worthwhile goal. Superseding RFC 8032 with stricter requirements would be valuable.
", "time": "2022-07-25T15:00:59Z"}, {"author": "Jonathan Hoyland", "text": "@MT isn't there something to be said for removing footguns?
", "time": "2022-07-25T15:01:33Z"}, {"author": "Deirdre Connolly", "text": "Christopher Patton said:
\n\n\nCouldn't the FROST draft just specify the co factor check?
\n
We went back and forth on this in our drafts, per-ciphersuite verify() basically 'strongly recommends' the cofactor / torsion check while staying compat with RFC8032 as it exists
", "time": "2022-07-25T15:01:39Z"}, {"author": "Christopher Patton", "text": "ohh I see. So the blocker is the flexibility in the EdDSA draft. Boo.
", "time": "2022-07-25T15:02:11Z"}, {"author": "Martin Thomson", "text": "@Jonathan Hoyland not if that means losing interoperability
", "time": "2022-07-25T15:02:40Z"}, {"author": "Christopher Patton", "text": "In that case: Maybe we all decide to use Ristretto/Decaf from now on? :)
", "time": "2022-07-25T15:02:49Z"}, {"author": "Christopher Patton", "text": "(for new things, that is.)
", "time": "2022-07-25T15:03:08Z"}, {"author": "Martin Thomson", "text": "I would be OK with only ristretto/decaf or only ed25519/ed448, but doing both is an invitation to have divergence.
", "time": "2022-07-25T15:03:23Z"}, {"author": "Sofia Celi", "text": "There is a draft ;) : https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-00
\nAnd on the OPRFs, we use them ;)
ChrisP: I think you mean Kyber ;-)
", "time": "2022-07-25T15:03:40Z"}, {"author": "Christopher Patton", "text": "+1 MT, I say pick ristretto/decaf
", "time": "2022-07-25T15:03:42Z"}, {"author": "Sofia Celi", "text": "On the OPRF draft
", "time": "2022-07-25T15:03:45Z"}, {"author": "Martin Thomson", "text": "I like Ristretto, so I'd be OK with that. Maybe we can do an EdRistretto doc and do away with 8032...
", "time": "2022-07-25T15:04:07Z"}, {"author": "Christopher Patton", "text": "not a bad idea
", "time": "2022-07-25T15:04:16Z"}, {"author": "Deirdre Connolly", "text": "FROST v7 draft: https://www.ietf.org/archive/id/draft-irtf-cfrg-frost-07.html
\nGitHub: https://github.com/cfrg/draft-irtf-cfrg-frost
\nSlides: https://docs.google.com/presentation/d/1gwrwxAsVES5z19GuzjfrC6ZdygbKjeqqrnfGb8sAMVQ/edit?usp=sharing
@Dierdre Thanks!
", "time": "2022-07-25T15:04:46Z"}, {"author": "Deirdre Connolly", "text": "Martin Thomson said:
\n\n\nI like Ristretto, so I'd be OK with that. Maybe we can do an EdRistretto doc and do away with 8032...
\n
I would like this, there is no other singleton Schnorr signatures on prime order groups spec that I am aware of
", "time": "2022-07-25T15:05:27Z"}, {"author": "Martin Thomson", "text": "the only problem with doing EdRistretto is that there is a fair bit of Ed25519 deployment, which is a non-trivial consideration
", "time": "2022-07-25T15:05:48Z"}, {"author": "Deirdre Connolly", "text": "the FROST spec basically does this because it has nothing else to point to (EdDSA is pretty close but of course has the cofactor stuff)
", "time": "2022-07-25T15:05:56Z"}, {"author": "Christopher Patton", "text": "@MT I think that deployment consideration is less important for FROST, since FROST is brand-spanking-new
", "time": "2022-07-25T15:06:37Z"}, {"author": "Deirdre Connolly", "text": "Martin Thomson said:
\n\n\nthe only problem with doing EdRistretto is that there is a fair bit of Ed25519 deployment, which is a non-trivial consideration
\n
Ristretto is a prime order group that may or may not be implemented over edwards25519 but that is below the abstraction boundary and thus why they are different ciphersuites
", "time": "2022-07-25T15:07:02Z"}, {"author": "Martin Thomson", "text": "The thing that concerns me is that you might want to deploy FROST into a setting where there are relying parties that consume Ed25519 already and you only want to add some safety for the signing operation.
", "time": "2022-07-25T15:07:17Z"}, {"author": "Thom Wiggers", "text": "huge echo back from the room
", "time": "2022-07-25T15:07:29Z"}, {"author": "Jonathan Hoyland", "text": "Wow the Echo is massive
", "time": "2022-07-25T15:07:33Z"}, {"author": "Scott Arciszewski", "text": "That's why they call it MeetEcho :)
", "time": "2022-07-25T15:07:42Z"}, {"author": "Deirdre Connolly", "text": "Martin Thomson said:
\n\n\nThe thing that concerns me is that you might want to deploy FROST into a setting where there are relying parties that consume Ed25519 already and you only want to add some safety for the signing operation.
\n
They would not be interoperable signatures
", "time": "2022-07-25T15:07:57Z"}, {"author": "Nick Sullivan", "text": "Regarding the FROST draft. The conclusion for the call for adoption on the threshold signatures topic was: \"We recommend the document be updated to include concrete \"cipher suites\" that are compatible with both the RFC7748 curves and RFC8032 signatures and the standard NIST curves (similar to how the hash-to-curve draft handles specialization).\" There was an expectation that this draft would have applications at the IETF that would allow threshold cryptography to be used to interop with cryptographic protocols that use EdDSA as specifiedin RFC 8032. This has been done in the draft.
", "time": "2022-07-25T15:08:36Z"}, {"author": "Martin Thomson", "text": "Deirdre Connolly said:
\n\n\nThey would not be interoperable signatures
\n
Ah, nevermind then. Ristretto only then. (Your slides seemed to indicate otherwise...)
", "time": "2022-07-25T15:08:57Z"}, {"author": "Nick Sullivan", "text": "Regarding the FROST draft. The conclusion for the call for adoption on the threshold signatures topic was: \"We recommend the document be updated to include concrete \"cipher suites\" that are compatible with both the RFC7748 curves and RFC8032 signatures and the standard NIST curves (similar to how the hash-to-curve draft handles specialization).\" There was an expectation that this draft would have applications at the IETF that would allow threshold cryptography to be used to interop with cryptographic protocols that use EdDSA as specifiedin RFC 8032. This has been done in the draft.
", "time": "2022-07-25T15:09:16Z"}, {"author": "Nick Sullivan", "text": "In Dierdre's presentation, she stated that they would be interoperable signatures.
", "time": "2022-07-25T15:09:16Z"}, {"author": "Nick Sullivan", "text": "Or perhaps I misheard. Will check the recording.
", "time": "2022-07-25T15:09:38Z"}, {"author": "Deirdre Connolly", "text": "@Nick Sullivan no a new Ristretto EdRistretto is not the same as Ed25519
", "time": "2022-07-25T15:09:45Z"}, {"author": "Deirdre Connolly", "text": "Is what I meant
", "time": "2022-07-25T15:09:50Z"}, {"author": "Nick Sullivan", "text": "Regarding the FROST draft. The conclusion for the call for adoption on the threshold signatures topic was: \"We recommend the document be updated to include concrete \"cipher suites\" that are compatible with both the RFC7748 curves and RFC8032 signatures and the standard NIST curves (similar to how the hash-to-curve draft handles specialization).\" There was an expectation that this draft would have applications at the IETF that would allow threshold cryptography to be used to interop with cryptographic protocols that use EdDSA as specifiedin RFC 8032. This has been done in the draft.
", "time": "2022-07-25T15:09:59Z"}, {"author": "Nick Sullivan", "text": "In Dierdre's presentation, she stated that they would be interoperable signatures.
", "time": "2022-07-25T15:09:59Z"}, {"author": "Nick Sullivan", "text": "Or perhaps I misheard. Will check the recording.
", "time": "2022-07-25T15:09:59Z"}, {"author": "Martin Thomson", "text": "That's clear. What I thought this was about was the Ed25519-compatible piece.
", "time": "2022-07-25T15:10:07Z"}, {"author": "Deirdre Connolly", "text": "FROST-Ed25519 is indistinguishable from an RFC8032 Ed25519 signature
", "time": "2022-07-25T15:10:22Z"}, {"author": "Martin Thomson", "text": "Yeah, so FROST-Ed25519 being Ed25519 that is what I was talking about before. That might have some advantages in contexts where you already have Ed25519 verifiers.
", "time": "2022-07-25T15:10:55Z"}, {"author": "Deirdre Connolly", "text": "Ah I think I understand you better
", "time": "2022-07-25T15:11:07Z"}, {"author": "Martin Thomson", "text": "Consider a case where you have a high value key (code signing say) and you want to manage the signing key better. FROST-Ed25519 makes sense there.
", "time": "2022-07-25T15:11:28Z"}, {"author": "Martin Thomson", "text": "For me, that advantage might outweigh the advantages that Ristretto provides, even if it means dealing with the cofactor risk.
", "time": "2022-07-25T15:12:02Z"}, {"author": "Armando Faz-Hern\u00e1ndez", "text": "the issue is not in the frost draft, it is in rfc8032 where multiple signatures can be valid regardless the signature was generated using a threshold process or not.
", "time": "2022-07-25T15:12:54Z"}, {"author": "Deirdre Connolly", "text": "yeah definitely, that was why we wanted to make sure our FROST Ed25519 ciphersuite interop'd with RFC8032
", "time": "2022-07-25T15:12:56Z"}, {"author": "Phillip Hallam-Baker", "text": "If your protocol depends on deterministic signing, you have big problems already
", "time": "2022-07-25T15:13:00Z"}, {"author": "Martin Thomson", "text": "Priority ordering (for me): fewer ciphersuites >> interoperability > cofactor risk
", "time": "2022-07-25T15:13:40Z"}, {"author": "Christopher Patton", "text": "@chairs can you mute your mic for the remote folks? WE've got echo.
", "time": "2022-07-25T15:14:34Z"}, {"author": "Thom Wiggers", "text": "echo from the room is bad but tolerable right now
", "time": "2022-07-25T15:14:38Z"}, {"author": "Deirdre Connolly", "text": "This is the verification procedure in RFC8032;
\nimage.png
\nhttps://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7
@Martin Thomson maybe it is worth a bigger discussion on the list, as some CFRG drafts use the ristretto suite already and other don't, and RFC8032 has some problem ;) ;) Maybe that will be worth
", "time": "2022-07-25T15:14:56Z"}, {"author": "Martin Thomson", "text": "Agreed.
", "time": "2022-07-25T15:15:21Z"}, {"author": "Phillip Hallam-Baker", "text": "On the RFC8032 thing, I am thinking the plan should probably be
\n1) Publish FROST RFC
\n2) Do an RFC8032 BIS that draws together all the update material including specifics on use with FROST.
Deirdre Connolly said:
\n\n\nThis is the verification procedure in RFC8032;
\nimage.png
\n
\nhttps://datatracker.ietf.org/doc/html/rfc8032#section-5.1.7
That 'sufficient, but not required' is the problem
", "time": "2022-07-25T15:15:44Z"}, {"author": "Nick Sullivan", "text": "Is that better?
", "time": "2022-07-25T15:16:20Z"}, {"author": "Phillip Hallam-Baker", "text": "@Deirdre Connolly Do you have a link to what we should be doing?
", "time": "2022-07-25T15:16:28Z"}, {"author": "Thom Wiggers", "text": "it's slightly better, I think there's a little bit of echo still coming through the audience microphones
", "time": "2022-07-25T15:16:46Z"}, {"author": "Thom Wiggers", "text": "our slides with clicky links https://docs.google.com/presentation/d/1k4AvsBEv7hlZTdwsljiiH7ZKZ_93kRrY2it6sHHOkL0/edit?usp=sharing
", "time": "2022-07-25T15:17:38Z"}, {"author": "Christopher Patton", "text": "@Thom maybe mute the meeting room?
", "time": "2022-07-25T15:17:41Z"}, {"author": "Christopher Patton", "text": "(Or @sofi!)
", "time": "2022-07-25T15:17:47Z"}, {"author": "Deirdre Connolly", "text": "Phillip Hallam-Baker said:
\n\n\nDeirdre Connolly Do you have a link to what we should be doing?
\n
Depending on your requirements, this is what we settled on for a consensus-critical application:
\nhttps://zips.z.cash/zip-0215
Implemented here:
\nhttps://github.com/zcashfoundation/ed25519-zebra
More motivation here:
\nhttps://hdevalence.ca/blog/2020-10-04-its-25519am
@Christopher Patton I'm very bad at knowing how to do technical things ahhaa
", "time": "2022-07-25T15:19:19Z"}, {"author": "Christopher Patton", "text": "we all are :)
", "time": "2022-07-25T15:19:41Z"}, {"author": "Bas Westerbaan", "text": "(Not in an obvious way at least.)
", "time": "2022-07-25T15:20:02Z"}, {"author": "Scott Arciszewski", "text": "Question: Are any of the alternate KEMs suitable for non-interactive settings?
", "time": "2022-07-25T15:20:54Z"}, {"author": "Thom Wiggers", "text": "no.
", "time": "2022-07-25T15:21:02Z"}, {"author": "Bas Westerbaan", "text": "No. It is inherent of KEM.
", "time": "2022-07-25T15:21:06Z"}, {"author": "Thom Wiggers", "text": "it's an API problem; as well as a maths problem
", "time": "2022-07-25T15:21:16Z"}, {"author": "Martin Thomson", "text": "Why do people insist on having so many parameter sets. 36 is far too many.
", "time": "2022-07-25T15:22:00Z"}, {"author": "Thom Wiggers", "text": "NIST may trim
", "time": "2022-07-25T15:22:11Z"}, {"author": "Bas Westerbaan", "text": "We don't want all 36 standardized.
", "time": "2022-07-25T15:22:24Z"}, {"author": "Jabber", "text": "sftcd: NIST picking loadsa parameters - I'm shocked I tell you
", "time": "2022-07-25T15:22:34Z"}, {"author": "Deirdre Connolly", "text": "Once upon a time SIDH (vs SIKE) was, but now there is an active adaptive attack against it for static keys (\u0ca5\ufe4f\u0ca5) (still great for ephemeral)
", "time": "2022-07-25T15:22:38Z"}, {"author": "Martin Thomson", "text": "Two might be too many, but I doubt NIST will be able to get there.
", "time": "2022-07-25T15:22:50Z"}, {"author": "Bas Westerbaan", "text": "@MT The Haraka instances, for instance, are just there to show what hardware acceleration would do.
", "time": "2022-07-25T15:22:54Z"}, {"author": "Phillip Hallam-Baker", "text": "@Deirdre Connolly Thanks
\nIt is almost certainly unnecessary for my application as the signer is the relying party most of the time and they are unlikely to bongo themselves. But I am providing a general library and so I want to provide general security checks.
What about the IDF paper that brings Kyber/Dilithium at lower security levels than required by NIST (Improved Dual Lattice Attack) that came out around the same time? Any reaction to it?
", "time": "2022-07-25T15:23:27Z"}, {"author": "Nick Sullivan", "text": "Regarding the FROST draft, there was interest on the list that the document created would be compatible with existing and deployed signature algorithms, with EdDSA listed as a specific target. This makes the draft applicable to already defined and deployed protocols like TLS (assuming EdDSA certificates exist -- they don't in the Web PKI right now) and all potential applications that currently use EdDSA. There were no specific requests to make the threshold document compatible with the signature schemes needed to support TLS or QUIC with the Web PKI (ECDSA and RSA), so if using threshold signatures in a setting that requires Web PKI-compatible signatures is of interest I would recommend doing it in a different document.
", "time": "2022-07-25T15:23:27Z"}, {"author": "Phillip Hallam-Baker", "text": "Does it affect Ed448 as well?
", "time": "2022-07-25T15:23:58Z"}, {"author": "Deirdre Connolly", "text": "Phillip Hallam-Baker said:
\n\n\nDoes it affect Ed448 as well?
\n
Yes:
\n\n![](\"/user_uploads/2/26/MoAELMXD0nksRKj4idsikOkk/image.png\")
https://datatracker.ietf.org/doc/html/rfc8032#section-5.2.7
", "time": "2022-07-25T15:24:46Z"}, {"author": "Thom Wiggers", "text": "@massimiliano: might be adjusted parameters in the final standard
", "time": "2022-07-25T15:24:57Z"}, {"author": "Phillip Hallam-Baker", "text": "@Deirdre Connolly I assumed it must.
\nI only use the 448 bit curves.
I guess that will affect sizes even more... I wonder if that should shift the suggestion to Falcon instead... we'll need more time to tweak algorithms, I guess.
", "time": "2022-07-25T15:27:35Z"}, {"author": "Deirdre Connolly", "text": "\n\nCSIDH security is awfully contested
\n
You got that right :rolling_on_the_floor_laughing:
", "time": "2022-07-25T15:27:55Z"}, {"author": "Phillip Hallam-Baker", "text": "No threshold PQC yet :(
", "time": "2022-07-25T15:28:33Z"}, {"author": "Bas Westerbaan", "text": "@Massimiliano It's too easy to make implementation mistakes with Falcon when using an FPU.
", "time": "2022-07-25T15:28:54Z"}, {"author": "Martin Thomson", "text": "\"very easy to mess up\" is not exactly reassuring
", "time": "2022-07-25T15:29:20Z"}, {"author": "Robert Moskowitz", "text": "And of course I need something with 32 byte keys and 64 byte sigs!
\nDream on.
", "time": "2022-07-25T15:29:25Z"}, {"author": "Mike Ounsworth", "text": "@scott fluhrer -- click to join the mic queue :stuck_out_tongue_wink:
", "time": "2022-07-25T15:29:26Z"}, {"author": "Sofia Celi", "text": "@Martin Thomson yeah.. it is quite a thing. the NIST report goes into details
", "time": "2022-07-25T15:29:48Z"}, {"author": "Yuji Suga", "text": "I recommend you one more link:
\nFrom Sofia's blog - Post-quantum Signatures (Jul 5, 2022)
\nhttps://sofiaceli.com/2022/07/05/pq-signatures.html
that is almost enough for me to say that Falcon is a non-starter
", "time": "2022-07-25T15:30:36Z"}, {"author": "Phillip Hallam-Baker", "text": "oooohh just realized that interactive proofs are kinda problematic with respect to implementation.
\nIt is quite hard to screw up x.448 and have it interoperate (some folk succeed).
\nSame not necessarily the case for interactive...
@Martin Thomson +100
", "time": "2022-07-25T15:31:20Z"}, {"author": "Robert Moskowitz", "text": "Falcon is definitely have an oach factor to expect IoT companies to do it right enough.
", "time": "2022-07-25T15:31:36Z"}, {"author": "Bas Westerbaan", "text": "Btw, all the issues in Falcon are in signing \u2014 not verification. So for offline signatures (i.e. CA, etc.) it should be fine.
", "time": "2022-07-25T15:32:16Z"}, {"author": "Robert Moskowitz", "text": "ouch that is. Typing on my lap results in errors...
", "time": "2022-07-25T15:32:22Z"}, {"author": "Phillip Hallam-Baker", "text": "My near term PQC plan is likely to be to generate a 'safety' PQC signature keypair and key exchange keypair, record the public keys and not use them for now.
", "time": "2022-07-25T15:32:32Z"}, {"author": "Quynh Dang", "text": "I hope we will be able to get the agreement completed much sooner then post it online.
", "time": "2022-07-25T15:32:58Z"}, {"author": "Phillip Hallam-Baker", "text": "For high security applications, might use a global shared secret established through a PQC exchange to create a seed for a global mix in like Russ Housely did a spec for.
", "time": "2022-07-25T15:33:31Z"}, {"author": "Robert Moskowitz", "text": "And signing is what the IoT may well need to do.
", "time": "2022-07-25T15:33:32Z"}, {"author": "Bas Westerbaan", "text": "There is also KEM TLS which allows online authentication without signing.
", "time": "2022-07-25T15:33:58Z"}, {"author": "Martin Thomson", "text": "@Bas Westerbaan I am thinking that the advantages of Falcon would be for online signing; offline signatures don't really benefit as much from a smaller signature/key
", "time": "2022-07-25T15:33:58Z"}, {"author": "Martin Thomson", "text": "I consider KEM-TLS to be a non-starter by virtue of how much it modifies the TLS key schedule.
", "time": "2022-07-25T15:34:23Z"}, {"author": "Bas Westerbaan", "text": "@MT Falcon is great for offline signatures as well: there are 6 signatures in a typical TLS handshake for the Web.
", "time": "2022-07-25T15:34:25Z"}, {"author": "Nick Sullivan", "text": "Offline signatures with Delegated Credentials and KEMTLS might be a useful fit.
", "time": "2022-07-25T15:34:49Z"}, {"author": "Bas Westerbaan", "text": "With \"offline\" I mean that the signature could be made offline, e.g. SCT, intermediate on leaf, etc.
", "time": "2022-07-25T15:34:53Z"}, {"author": "Bas Westerbaan", "text": "It's not really offline ofc.
", "time": "2022-07-25T15:35:05Z"}, {"author": "Martin Thomson", "text": "Yeah, delegated credentials is the main thing that might save something like Falcon
", "time": "2022-07-25T15:35:15Z"}, {"author": "Sofia Celi", "text": "It is true that KEMTLS changes the TLS 1.3 state machine, but it might be worth for some cases in which the sizes are not great. But yes, def a point to take into account.
", "time": "2022-07-25T15:36:33Z"}, {"author": "Sofia Celi", "text": "we have also a presentation about PQ and TLS in the TLS WG with @Thom Wiggers for more points ;)
", "time": "2022-07-25T15:37:08Z"}, {"author": "Thom Wiggers", "text": "(this is an important point: there are likely to be changes to all of the schemes selected for standardization in the final spec vs the last versions of the submissions)
", "time": "2022-07-25T15:37:08Z"}, {"author": "Christopher Patton", "text": "I'm definitely for adoption
", "time": "2022-07-25T15:38:00Z"}, {"author": "Jabber", "text": "sftcd: anyone got any links wrt the IPR issues mentioned previously?
", "time": "2022-07-25T15:38:19Z"}, {"author": "Christopher Patton", "text": "I think Python (Sage) is a good choice for spec language.
", "time": "2022-07-25T15:39:01Z"}, {"author": "Christopher Patton", "text": "(Until we get hacspec :D )
", "time": "2022-07-25T15:39:12Z"}, {"author": "Christopher Patton", "text": "+1 Florence, goal is 0-gap with NIST
", "time": "2022-07-25T15:39:46Z"}, {"author": "Sofia Celi", "text": "nice \"seeing\" you all!
", "time": "2022-07-25T15:40:42Z"}, {"author": "Phillip Hallam-Baker", "text": "Matching the eventual NIST spec is obviously good if it happens. But the only way that can happen is if NIST follows the RFC.
", "time": "2022-07-25T15:40:46Z"}, {"author": "Christopher Patton", "text": "bye!
", "time": "2022-07-25T15:40:48Z"}, {"author": "Scott Arciszewski", "text": "Thanks for the presentations
", "time": "2022-07-25T15:40:58Z"}, {"author": "Thom Wiggers", "text": "o/ see you in TLS for PQC abridged 2: The musical :D
", "time": "2022-07-25T15:41:08Z"}, {"author": "Jonathan Hoyland", "text": "For any still in the room, @MeetEcho the mics are still hot
", "time": "2022-07-25T15:42:26Z"}]