CFRG - Crypto Forum Research Group

IETF 118 in Prague

Thursday November 9, 2023, 15:00-16:30 (UTC + 1)


Chairs: Stanislav Smyshlyaev (SS), Nick Sullivan (NS), and Alexey
Melnikov (AM)


15:00 - Chairs' update (5 mins).

Four new RFCs.

15:05 - Chris Patton, "VDAF" (10+5 mins)

Ready for RGLC. Needed by IETF PPM WG.
Open questions: GitHub issues #299, #306, #287, and #110.
Ask for editorial reviews as well.

Simon: Is Poplar1 adequately reviewed?
Chris: Not as well reviewed as Prio3, but it will probably stay.

15:20 - Vasilis Kalos, "The BBS Signature Scheme" (10+5 mins)

The BBS Signature Scheme is very stable and well reviewed. Working on
Blind BBS signatures, but wonder whether it should be added to the base
document or put in a separate one.

Chris: Does anyone in the IETF need this work?
Vasilis: Interest from outside the IETF, and once published there may be
Orie: It is useful in the COSE CWT.
Unknown: Useful for credentialing system so that you do not need a
separate one for each verifier.

15:35 - Andrey Bozhko, "Properties of AEAD algorithms" (5+5 mins)

Want to add discussion of indeferentiability.

Jonathan: Still interested in verification without decryption.
Andrey: I rememeber.

Chris: I was interested in indeferentiability, but it is a different
Chris: Do you need both full commitment and key commitment?
Andrey: Full commitement is harder to achieve, so they need to both be
Chris: Maybe few choices is better for non-cryptographers.

15:45 - Alexander Dax, "How Subtle AEAD Differences can Impact Protocol Security" (10+5 mins)

Many ways to misunderstand and misuse AEADs.
The researchers identify three big theoretical classes, that also allow
to capture most practical attacks: (1) Integrity and Privacy, (2)
Collision Resistance, and (3) Nonce Reuse.

Andrey: What are your future plans? Can you help with
Alex: Want to look at other primatives, not just AEAD. Willing to talk
about your draft.

16:00 - Dimitris Mouris, "The Mastic VDAF" (10+3 mins)

One-hot verifiability and path verifiability together thwart a malicious

Chris Wood: What about multiple cooperating malicious clients?
Dimitris: Need to do more investigation about multiple cooperating
malicious clients. The run time would not be increased.
Chris Patton: More flexible than Poplar. Need to finish the analysis.

16:13 - Hubert Kario, "Implementation Guidance for the PKCS#1 RSA Cryptography Specification" (10+3 mins)

Improvements in detecting side channels over the network in RSA using
PKCS#1 v1.5.

Chris: What is the function of this draft?
Hubert: Stop using RSA using PKCS#1 v1.5. Also, give something to move
Chris: Ready for adoption call?
Hubert: Yes.

Bob: We have old hardware in aviation industry. Hard to move in those

16:26 - David Joseph, "Batched Signatures" (4 mins)

Want to make you aware of this work. Build a Merkle Tree, and then sign
the root. Others have worked on similar ideas, and want to bring them
all together in the CFRG.

Chris Wood: Not specific to any particular signature algorithm?
David: Correct.

Orie: A construction similar to this is being used in SCITT.

Chris: Does this make a difference for post-quantum?
David: Want your usecases to consider.

SS: The chairs are planning to announce RGLCs for the two selected PAKEs