**Session Date/Time:** 25 Jul 2024 20:00 # CFRG Meeting - IETF 120 ## Summary The CFRG meeting at IETF 120 in Vancouver featured six presentations covering various cryptographic topics. These included blind signatures with public metadata, Merkel tree ladder mode, crypto approaches for IPPM capacity protocols, a mode of operation using AES-GCM, a design team proposal for combined KEMs, and potential directions for HPKEv2. Discussions touched on security models, dependency management, standardization efforts, and the evolution of cryptographic protocols. ## Key Discussion Points * **Partially Blind RSA Signatures:** Discussion centered on the utility of public metadata, security proofs, unlinkability, and the potential for PQC alternatives. Questions were raised regarding one-more unforgeability under different metadata. * **Merkle Tree Ladder Mode (MTL):** The presentation sought adoption of MTL mode and raised a broader question of whether CFRG should work on signature scheme modes of operation, especially regarding NIST's pre-hashing versus pure signing approaches. The use of context as a domain separator was discussed. * **IPPM Capacity Protocol Crypto:** The security of using the second half of an H-MAC SHA-256 digest as an IV for AES in CBC mode was questioned. Deterministic encryption issues and padding vulnerabilities were highlighted. The use of AESIV was suggested as a possible alternative. * **Double Nonce-Derived Key GCM (DNDK-GCM):** The presentation focused on a new mode of operation for AES-GCM addressing limitations in nonce size, birthday bound, and key commitment. Key derivation, configuration options, and performance were discussed. Concern was raised regarding overhead. * **Combined KEMs:** The design team presented a plan for a document outlining security properties, potential combination approaches, and concrete combinations for hybrid KEMs. The separation of concrete instantiations into separate documents was proposed and generally accepted. * **HPKEv2 Ideas:** Proposed additions for HPKEv2 included binding properties, a signature-based authentication KEM (auth-kem) mode, and a generalized key schedule to allow multiple N-caps. It was discussed if this should be one large change, or broken into extensions. ## Decisions and Action Items * **Partially Blind RSA Signatures:** The authors will address the questions raised on the list and continue the discussion. * **Merkle Tree Ladder Mode:** Authors to follow up with NIST on the intent of 0 and 1 prefixes for NIST signature mode indicators. * **IPPM Capacity Protocol Crypto:** Author to review the notes and comments, especially the suggestion to switch to AESIV. Discussion to continue on the CFRG mailing list. * **Combined KEMs:** The research group agreed to proceed with the design team's plan, splitting the document into a general overview and separate documents for concrete instantiations. Co-authors were solicited. * **HPKEv2 Ideas:** Open questions and next steps will continue on the mailing list to consider if these ideas should be one new version or separated into extensions. ## Next Steps * Chairs will attempt to close outstanding errata on CFRG documents. * Continue discussions on the mailing list for partially blind RSA signatures, IPPM capacity protocol crypto, and HPKEv2. * The design team will begin drafting documents based on the plan for combined KEMs, with Chris Wood as a primary contributor and others volunteering to help.