**Session Date/Time:** 18 Mar 2024 03:00

# CFRG Meeting Minutes

## Summary

The CFRG meeting covered a wide range of topics, including updates on existing drafts, discussions on new proposals related to post-quantum cryptography, federated machine learning, and formal analysis of TLS protocols. Key discussions revolved around hybrid key exchange mechanisms, secure aggregation techniques for privacy-preserving machine learning, and potential inconsistencies in existing TLS implementations.

## Key Discussion Points

*   **Hedged ECDSA/EDDSA Signatures:**
    *   Discussed naming conventions and alignment with academic literature and NIST standards.
    *   Addressed concerns about the order of random value and prefix for side-channel attack mitigation.
    *   Reviewed the inclusion of test vectors and potential proofs of construction.

*   **GCM with Secure Short Tags (GCM-SST):**
    *   Explained the motivation for secure short tags in GCM, particularly for radio link layers and media applications.
    *   Compared GCM-SST with standard GCM in terms of performance and security properties.
    *   Solicited interest from CFO (Codec Foo Optimization) working group for potential adoption.

*   **ML-KEM in HBKE:**
    *   Analyzed the binding properties of DH-KEM (Diffie-Hellman Key Exchange Mechanism) in HBKE (Hybrid Public Key Encryption) and compared them to ML-KEM (Module Learning with Errors Key Encapsulation Mechanism).
    *   Discussed potential re-encapsulation attacks and the need for strong binding of ciphertext and public key.
    *   Considered options for modifying HBKE or adapting ML-KEM to ensure security in hybrid post-quantum scenarios.

*   **Mastic for VDAF:**
    *   Presented an update on the Mastic protocol, an alternative to Poppler 1 for the heavy hitters problem.
    *   Outlined the use cases for Mastic, including weighted heavy hitters and grouped metrics.
    *   Discussed the progress on security analysis and implementation in Rust.
    *   Considered replacing Poppler 1 with Mastic in the base VDAF draft.

*   **Private Inexpensive Norm Enforcement (Pine) for Federated Machine Learning:**
    *   Introduced Pine, a new VDAF (Verifiable Distributed Aggregation Function) designed to support federated machine learning use cases.
    *   Addressed the challenge of preventing wraparound effects when computing squared out to norms in field operations.
    *   Compared Pine with Pro 3 in terms of communication cost and performance.

*   **Synchronous Remote Key Generation:**
    *   Introduced a draft on synchronous remote key generation, a technique for generating non-correlatable public keys.
    *   Explained the applications of this technique in verifiable credentials and remote secure elements.
    *   Requested reviews and feedback on the draft.

*   **Hybrid PQ Cams:**
    *   Addressed the lack of a clear consensus as to how to combine PQ and classic public key cryptography safely.
    *   Discussed issues related to the difficulty of the certification of PQ algorithms.
    *   Debated approaches for specifying combiners and providing general advice to protocol developers.

*   **Analysis of Ratls:**
    *   Presented a formal analysis of the combination of remote attestation with TLS, focusing on the validation part of the model.
    *   Identified potential issues related to the handshake secret and master secret generation in TLS implementations.
    *   Solicited feedback and insights on the observed inconsistencies.

## Decisions and Action Items

*   **Hedged ECDSA/EDDSA Signatures:** Include test vectors in the next version. Investigate the need for proofs for the construction.
*   **Hybrid PQ Cams:** A design team will be formed to compile requirements for hybrid PQ cams and combine them with classic public key cryptography safely.
*   **Mastic for VDAF:** Post questions and discussion to the mailing list regarding whether or not to immediately replace Poppler1 with Mastic.

## Next Steps

*   Continue discussions on the mailing list regarding the replacement of Poppler 1 with Mastic.
*   Form a design team for hybrid PQ cams and develop a reasonable set of requirements.
*   Continue working on aligning the reference implementation with security analysis for the Mastic protocol.
*   Gather feedback from implementers on the Pine protocol for federated machine learning.
*   Continue reviewing and providing feedback on the Synchronous Remote Key Generation draft.
*   Continue analysis on existing TLS implementations, to ensure that no security issues or issues with spec compliance will impact remote attestation.