# CFRG (Crypto Forum Research Group) {#cfrg-crypto-forum-research-group} IETF 115 in London * Date: Monday, November 07, 2022 (2 hours) * Time: 09:30-11:30 (UTC) * Meetecho: https://meetings.conf.meetecho.com/ietf115/?group=cfrg&short=cfrg&item=1 * Onsite tool: https://meetings.conf.meetecho.com/onsite115/?group=cfrg&short=cfrg&item=1 * Jabber: cfrg@jabber.ietf.org * Notes: https://notes.ietf.org/notes-ietf-115-cfrg RG Chairs: * Alexey Melnikov alexey.melnikov@isode.com * Stanislav Smyshlyaev smyshsv@gmail.com * Nick Sullivan nick@cloudflare.com RG Secretary: * Chris Wood caw@heapingbits.net Note taker: * Russ Housley # Minutes for CFRG at IETF 115 {#minutes-for-cfrg-at-ietf-115} ## Chairs' update {#chairs-update} https://datatracker.ietf.org/meeting/115/materials/slides-115-cfrg-cfrg-chairs-document-status-update Alexey gave the status for the CFRG documents (see slides). ## Tobias Looker, "BBS Signatures" (draft-irtf-cfrg-bbs-signatures) (10+5 mins) {#tobias-looker-bbs-signatures-draft-irtf-cfrg-bbs-signatures-105-mins} https://datatracker.ietf.org/meeting/115/materials/slides-115-cfrg-bbs There are not many implementations of hash-to-curve with the ciphersuites that were in the previous version of the I-D. One that makes use SHA-256 was added. Looking a ways to improve the proof fixtures in the test vectors. The use of hash-to-curve put a limit on the number of messages for which the prover can create commitments and hide. Depending on the option picked, the limit might be 2^48 messages. ## Andrey Bozhko, "Classification of properties of AEAD modes" (draft-bozhko-cfrg-aead-properties) (5+5 mins) {#andrey-bozhko-classification-of-properties-of-aead-modes-draft-bozhko-cfrg-aead-properties-55-mins} https://datatracker.ietf.org/meeting/115/materials/slides-115-cfrg-aead-properties Andrey proposed some changes for the next version of the document, and he asks for review and feedbck. Some AEAD properties require a non-RFC5116 interface. The literature does not agree on the terminology for AEAD properties. There is interest in using this document to help converge on terms across the community. Paul Wouters (the Security AD) supported the document. After some further discussion, the author should request a call for adoption. ## Yuto Nakano, "Encryption algorithm Rocca-S" (draft-nakano-rocca-s) (10+5 mins) {#yuto-nakano-encryption-algorithm-rocca-s-draft-nakano-rocca-s-105-mins} https://datatracker.ietf.org/meeting/115/materials/slides-115-cfrg-rocca-s The algorithm provides strong encryption with 100+ Gbps throughput. Sponge-based construction. 256-bit key. 256-bit authentication tag. AES round function 𝐴 and XOR. The authors do not claim any intellectual property rights and restrictions to use the algorithm. An attack on this new algorithm does not necessarily mean there is an attack against AES. ## Scott Fluhrer, "The use of NTRU" (draft-fluhrer-cfrg-ntru) (10+5 mins) {#scott-fluhrer-the-use-of-ntru-draft-fluhrer-cfrg-ntru-105-mins} https://datatracker.ietf.org/meeting/115/materials/slides-115-cfrg-ntru Kyber has some plausible patent claims. NIST is working with the patent holders to allow free access, but we do not know the final agreement. Until we see the licensing agreement, just saying ‘Kyber is the solution’ is not sufficient. On the other hand, all the NTRU patents have expired. NIST announced that the agreements have been signed with the two patent holders, and the terms will be announced in the next month or so.