CFRG - Crypto Forum Research Group

IETF 121 in Vancouver

Wednesday November 6, 2024, 09:30-11:30 (UTC)

https://meetings.conf.meetecho.com/ietf121/?session=33370
Notes: https://notes.ietf.org/notes-ietf-121-cfrg

Chairs: Stanislav Smyshlyaev (SS, remote), Nick Sullivan (NS), and
Alexey Melnikov (AM)

Note-taker:

Presentations

Chairs' update

Alicja Kario: RSA implementation guidance should be ready for RGLC.

CFRG RFCs Errata

Nick Sullivan

Tero Kivinen: RFC editor has HTML version of the RFCs which show
errata incorporated as in-place change but that is done only for
verified errata entries, so check those ones marked as hold and see if
they should be verified instead.

CPace

Bjoern Haase
draft-irtf-cfrg-cpace

Draft should be ready for RGLC.

AEGIS

Frank Denis
draft-ietf-cfrg-aegis-aead

Would like to start RGLC soon.

ML-KEM

Scott Fluhrer
draft-sfluhrer-cfrg-ml-kem-security-considerations

Deirdre Connolly: I made PR about it, it needs work on binding
properties. Also uploaded an I-D for ML-KEM codepoints for HPKE (sent to
list)
Scott Fluhrer: Code points for HPKE would be good, for the other
things I will look at the PR.
Daniel Shiu: Something that is not in draft is side channels.
Scott Fluhrer: This is mostly for the protocol implementors, not for
the crypto implementors.
Guilin Wang: What about failure rates?
Scott Fluhrer: The failure rates are so low, that no point.
Quynh Dang: The spec already takes care of the failure cases.
Scott Fluhrer: There are two cases, if someone modifies things in
the middle is taken care of, the other one is bit different.
Guilin Wang: Guidance how to use ephemerial vs long term key?
Scott Fluhrer: There is text for that, but if it is not adequate,
please send comments.

Blind BBS and BBS Pseudonyms

Vasilis Kalos
draft-kalos-bbs-blind-signatures
draft-kalos-bbs-per-verifier-linkability

No comments.

FrodoKEM

Patrick Longa
Moved here because of audio problems.

Scott Fluhrer: Is the draft allowing you to implementing frodokem
without other documents?
Patrick Longa: Yes.
John Preuß Mattsson: Documents should not refer to paywalled ISO
documents. Also the hybrids using ML-KEM etc have better performance
than FrodoKem.
Guilin Wang: In IPsec there is hybrid exchange. Do you have a plan
to write a draft to introduce FrodoKEM?
Patrick Longa: There is already a draft, that is decent state, and
we want to make that public.
Leif Johansson: What part of Swedish government is doing this?
Patrick Longa: I do not remember. Stefan should know.
Kris Kwiatkowski: Is the ISO version include parametrization for
AES?
Patrick Longa: Yes, includes AES, and SHAKE.
Kris Kwiatkowski: Why it is easier to protect aganst side channels?

Patrick Longa: Masking is much simplier, in hardware implementation
it is free, also using table lookups is simplier and constant time.
Ben S: You include 12 versions, including e variants. Is there any
benefits to include e versions?
Patrick Longa: The non-ephemeral or salted version is protected
against multi-ciphertext attakcs, it is open discuss which versions we
should include. For example whether to use AES or SHAKE depends on the
hardware. For the simplicity perhaps not some parameters are not needed.
We are open to that discussion.

Rocca-S

Yuto Nakano
draft-nakano-rocca-s

Scott Fluhrer: How much crypto analysis has be done for this?
Yuto Nakano: We have done self-evaluation.
Scott Fluhrer: In the AEGIS presentation they were faster than AES,
but here you have other way around.
Yuto Nakano: They do AEGIS in parallel, and in here it is not
parallel.

Divergences of Ed25519 in Web Crypto and beyond

Daniel Huigens

(related to the small-order checks)
Alicja Kario: We also have NIST specification for Ed25519, how does
that align with the checks it requires?
Daniel Huigens: I do not know. I will have to double check.
Ben Westerbaan: There has been lots of issues with small-order
points. It is lots of extra work for nothing. Lets not complicate
things.
Dennis Jackson: We think these checks are quite simple, but if they
are not needed, we can do that. More about alignment.
Deidre Connolly: In blockchain community there has been adoption. We
have implenented it in consistent verifiable way. You can steal the text
that we've written down (from zulip). What about the snore over the
ristretto group, that would be nicer?
Björn Haase: I would like to see deterministic signatures aspected
detailed in RFC. We should have guidance. I do not have strong point
regardling the other issues.
John Preuß Mattsson: we should distinguish hedge signatures intead
of randomized signatures. A lot of discussion about hedge signatures has
been about IPR disclosures.
David Benjamin: We need 8032bis.
Deidre Connolly: It is verify important to have consistant
validationand batching algorithms to handle co-factors in smaller order
points.
Nick Sullivan: Lots of interest in bis document, as well as makin
sure the hedged document can also continue forward. Bring to the list.

Reviving draft-irtf-cfrg-webcrypto-algorithms

Daniel Huigens
draft-ietf-cfrg-webcrypto-algorithms

I will be happy to work on this draft, but would be good to have help.

No volunteers at this time.

Daniel Huigens: Will bring to list.

ML-KEM public key compression and random encodings

Shannon Veitch

Deidre Connolly: I am very intersted in this, and I support this.
Daniel Shiu: Why do you compress the cipher texts, and then use mod
encoding, and when you could just convert the compression ciphertext to
binary string?
Deidre Connolly: Does some rounding and the output distribution
after compression is not uniform. We need to recover this uniform
property of the ciphertext before compression before we can encode them.

Robert Moskowitz: Anything that is smaller is better.. I am
interested for this.

Meeting ends