Markdown Version | Session Recording

Session Date/Time: 24 Jul 2025 15:00

CFRG Meeting Minutes - IETF 123

Summary

The CFRG meeting at IETF 123 featured discussions on hybrid key encapsulation mechanisms (KEMs), post-quantum KEMs including Intrue and Classic McEliece, updates on blind signatures, zero-knowledge proofs for small identity theorems, Sigma Protocols, AEAD algorithms, and post-quantum password authenticated key exchange (PAKE). A key focus was on defining the problems that CFRG should address, balancing security and performance, and determining the appropriate venue for standardization work.

Key Discussion Points

• Hybrid KEMs:
  • Discussion centered around the trade-offs between different combiner constructions (GHP, pre, QSF).
  • A question was raised whether to proceed with three different combiners or consolidate.
  • Deterministic key generation and hash function selection (SHA2 vs. SHA3) were debated in the context of the LAMPS draft.
  • It was suggested that an interim meeting would be beneficial to refine this draft.
• Post-Quantum KEMs (Intrue and Classic McEliece):
  • Debate around problem definition - what problem(s) would be solved by standardizing more PQ KEMs in CFRG beyond NIST selections?
  • Is CFRG the correct venue to pursue this work or should it be done in a different group, possibly even at the IETF instead of the IRTF?
  • Need for a requirements document to guide the selection of PQ KEMs.
  • Discussion of whether engineers have the tools to choose KEMs for their specific needs.
  • Security and performance comparisons between Intrue, McEliece, and other KEMs.
  • Concerns about the mathematical assumptions and their implications if one is broken.
• Blind Signatures:
  • Updates on the core scheme and pseudonym functionalities.
  • Concern about compromised privacy due to the potential for discrete logarithm computation.
  • A polynomial approach was suggested to mitigate this issue by introducing multiple pseudonyms, but that introduced a proof size increase.
• Zero-Knowledge Proofs for Small Identity Theorems:
  • Need to research and develop post-quantum zero-knowledge schemes suitable for applications like digital identity wallets and age verification.
  • Discussion on the level of abstraction needed to create usable tools.
• Sigma Protocols:
  • Update on progress since last meeting, including call for adoption.
  • Clarification regarding the scope and relationship between the Sigma Protocol and Fiat-Shamir transform specifications.
  • Debate over which curves should be supported.
  • A push to limit the complexity and scope to encourage interoperability, while still allowing for extensions.
• AEAD Algorithms (Roka-S and Chacha20-Poly1305):
  • Presentation of new parallel modes for Roka-S for performance improvement.
  • Proposal to update Chacha20-Poly1305 for enhanced security and performance using Poly 1.1, to include other properties defined in RFC 9771
• Post-Quantum PAKEs:
  • Presentation of a hybrid post-quantum password authenticated key exchange (PAKE) protocol named Spacequake.
  • Considered the interest in the protocol, and if it should be handled in CFRG or a seperate IETF working group.

Decisions and Action Items

• Virtual Interim Meeting: The Chairs will take to the list the suggestion to have a virtual interim meeting in September to move the Hybrid KEM draft along.
• Meta-Analysis Draft: There was not anyone at the meeting, but the Chairs are open to the list suggesting someone who will perform a meta-analysis comparing the security reductions and proofs of different candidate KEMs.

Next Steps

• Authors of hybrid KEM drafts to address feedback from the list and meeting, and aim for a new draft version within a month.
• The list to determine the next steps of the post quantum KEM suggestions.
• Authors to refine draft for Sigma Protocols following the feedback.
• Take feedback from the discussion to the list to determine interest in a work item for post-quantum PAKEs