Markdown Version | Session Recording

Session Date/Time: 09 Nov 2023 14:00

CFRG Meeting - IETF 118 Prague

Summary

The CFRG meeting at IETF 118 in Prague covered updates on several active documents, including VDAF, BBS signatures, AED proxy, and new research on AAD properties and a new Verifiable Distributed Aggregation Function (VDAF) called MasTic. Discussions also centered on RSA guidance and batch signatures. Several documents are nearing research group last call.

Key Discussion Points

• VDAF (Verifiable Distributed Aggregation Function): Chris presented updates, including optimizations for IDPF, and a move from Shake to Turbo Shake. The editors are considering a couple of breaking changes. Open issues include IN considerations and editorial work. Simon Fee Program questioned the maturity of Poplar compared to Prio and whether multiple implementations are needed.
• BBS Signatures: Vasilis discussed updates to the draft. The main changes are factoring the draft to separate proof operations and separating main operations into high-level API. He proposed a new proof generation procedure from 2016 SDL. A separate document for blind BBS signatures was proposed. The group asked about specific use cases in mind for blind BBS signatures in the IETF or outside.
• AED (Authenticated Encryption with Associated Data) Proxy: Andre provided an update on the AED proxy draft. Samuel Lucas helped point out that the draft only covered key commitment before and helped provide a roadmap, and he said that it is really interesting that commitment had different applications. Individuality is a topic being worked on but presents challenges as it's an entirely different approach to defining AED security.
• Impact of Subtle AAD Differences: Alex presented research on the impact of subtle AAD differences in protocol security, focusing on automated analysis of protocols and limitations of attacker models.
• MasTic (New VDAF): Dimitris presented MasTic, a new VDAF, focusing on one-hot verifiability and path verifiability to defend against malicious clients.
• RSA Guidance: Norman talked about the blanket duplication of PKCS 1 version 1.5. New improvements to timing side channel epics, recommendation about, most common leakage sources, and about implicit rejection for the KCS 1 version 15.
• Batch Signatures: David introduced a draft on batch signatures using Merkel trees to improve throughput, aiming for a generic solution applicable to various signature algorithms. Feedback was requested.

Decisions and Action Items

• VDAF: Study the security implications of optimizing IDPF where a little bit of security is sacrificed in more detail.
• BBS Signatures: Discuss whether blind signature functionality should be a separate document or included in the main draft.
• RSA Guidance: Contact the chairs to discuss bringing the draft to an adoption call.

Next Steps

• VDAF: Editors to continue addressing open issues and seek reviews.
• BBS Signatures: Reviewers need to review the draft after it's updated to include a new proof generation procedure.
• AED Proxy: Andre to continue working on differentiability and incorporating feedback on the draft.
• MasTic: Continue evaluations and full security analysis in a forthcoming paper. The presenters will provide an apples to apples comparison of MasTic vs Poplar.
• Batch Signatures: Refine the draft and gather use cases.
• Opaque and CPACE: Start the resource group plus calls really soon.