# CFRG - Crypto Forum Research Group {#cfrg---crypto-forum-research-group} IETF 118 in Prague Thursday November 9, 2023, 15:00-16:30 (UTC + 1) Meetecho: https://meetings.conf.meetecho.com/ietf118/?group=cfrg&short=&item=1 Notes: https://notes.ietf.org/notes-ietf-118-cfrg Chairs: Stanislav Smyshlyaev (SS), Nick Sullivan (NS), and Alexey Melnikov (AM) # Note-taker: {#note-taker} ## 15:00 - Chairs' update (5 mins). {#1500---chairs-update-5-mins} Four new RFCs. ## 15:05 - Chris Patton, "VDAF" (10+5 mins) {#1505---chris-patton-vdaf-105-mins} Ready for RGLC. Needed by IETF PPM WG. Open questions: GitHub issues #299, #306, #287, and #110. Ask for editorial reviews as well. Simon: Is Poplar1 adequately reviewed? Chris: Not as well reviewed as Prio3, but it will probably stay. ## 15:20 - Vasilis Kalos, "The BBS Signature Scheme" (10+5 mins) {#1520---vasilis-kalos-the-bbs-signature-scheme-105-mins} The BBS Signature Scheme is very stable and well reviewed. Working on Blind BBS signatures, but wonder whether it should be added to the base document or put in a separate one. Chris: Does anyone in the IETF need this work? Vasilis: Interest from outside the IETF, and once published there may be others. Orie: It is useful in the COSE CWT. Unknown: Useful for credentialing system so that you do not need a separate one for each verifier. ## 15:35 - Andrey Bozhko, "Properties of AEAD algorithms" (5+5 mins) {#1535---andrey-bozhko-properties-of-aead-algorithms-55-mins} Want to add discussion of indeferentiability. Jonathan: Still interested in verification without decryption. Andrey: I rememeber. Chris: I was interested in indeferentiability, but it is a different paradigm. Chris: Do you need both full commitment and key commitment? Andrey: Full commitement is harder to achieve, so they need to both be discussed. Chris: Maybe few choices is better for non-cryptographers. ## 15:45 - Alexander Dax, "How Subtle AEAD Differences can Impact Protocol Security" (10+5 mins) {#1545---alexander-dax-how-subtle-aead-differences-can-impact-protocol-security-105-mins} Many ways to misunderstand and misuse AEADs. The researchers identify three big theoretical classes, that also allow to capture most practical attacks: (1) Integrity and Privacy, (2) Collision Resistance, and (3) Nonce Reuse. Andrey: What are your future plans? Can you help with draft-irtf-cfrg-aead-properties? Alex: Want to look at other primatives, not just AEAD. Willing to talk about your draft. ## 16:00 - Dimitris Mouris, "The Mastic VDAF" (10+3 mins) {#1600---dimitris-mouris-the-mastic-vdaf-103-mins} One-hot verifiability and path verifiability together thwart a malicious client. Chris Wood: What about multiple cooperating malicious clients? Dimitris: Need to do more investigation about multiple cooperating malicious clients. The run time would not be increased. Chris Patton: More flexible than Poplar. Need to finish the analysis. ## 16:13 - Hubert Kario, "Implementation Guidance for the PKCS#1 RSA Cryptography Specification" (10+3 mins) {#1613---hubert-kario-implementation-guidance-for-the-pkcs1-rsa-cryptography-specification-103-mins} Improvements in detecting side channels over the network in RSA using PKCS#1 v1.5. Chris: What is the function of this draft? Hubert: Stop using RSA using PKCS#1 v1.5. Also, give something to move to. Chris: Ready for adoption call? Hubert: Yes. Bob: We have old hardware in aviation industry. Hard to move in those environments. ## 16:26 - David Joseph, "Batched Signatures" (4 mins) {#1626---david-joseph-batched-signatures-4-mins} Want to make you aware of this work. Build a Merkle Tree, and then sign the root. Others have worked on similar ideas, and want to bring them all together in the CFRG. Chris Wood: Not specific to any particular signature algorithm? David: Correct. Orie: A construction similar to this is being used in SCITT. Chris: Does this make a difference for post-quantum? David: Want your usecases to consider. SS: The chairs are planning to announce RGLCs for the two selected PAKEs soon.