**Session Date/Time:** 24 Jul 2025 15:00 # CFRG Meeting Minutes - IETF 123 ## Summary The CFRG meeting at IETF 123 featured discussions on hybrid key encapsulation mechanisms (KEMs), post-quantum KEMs including Intrue and Classic McEliece, updates on blind signatures, zero-knowledge proofs for small identity theorems, Sigma Protocols, AEAD algorithms, and post-quantum password authenticated key exchange (PAKE). A key focus was on defining the problems that CFRG should address, balancing security and performance, and determining the appropriate venue for standardization work. ## Key Discussion Points * **Hybrid KEMs:** * Discussion centered around the trade-offs between different combiner constructions (GHP, pre, QSF). * A question was raised whether to proceed with three different combiners or consolidate. * Deterministic key generation and hash function selection (SHA2 vs. SHA3) were debated in the context of the LAMPS draft. * It was suggested that an interim meeting would be beneficial to refine this draft. * **Post-Quantum KEMs (Intrue and Classic McEliece):** * Debate around problem definition - what problem(s) would be solved by standardizing more PQ KEMs in CFRG beyond NIST selections? * Is CFRG the correct venue to pursue this work or should it be done in a different group, possibly even at the IETF instead of the IRTF? * Need for a requirements document to guide the selection of PQ KEMs. * Discussion of whether engineers have the tools to choose KEMs for their specific needs. * Security and performance comparisons between Intrue, McEliece, and other KEMs. * Concerns about the mathematical assumptions and their implications if one is broken. * **Blind Signatures:** * Updates on the core scheme and pseudonym functionalities. * Concern about compromised privacy due to the potential for discrete logarithm computation. * A polynomial approach was suggested to mitigate this issue by introducing multiple pseudonyms, but that introduced a proof size increase. * **Zero-Knowledge Proofs for Small Identity Theorems:** * Need to research and develop post-quantum zero-knowledge schemes suitable for applications like digital identity wallets and age verification. * Discussion on the level of abstraction needed to create usable tools. * **Sigma Protocols:** * Update on progress since last meeting, including call for adoption. * Clarification regarding the scope and relationship between the Sigma Protocol and Fiat-Shamir transform specifications. * Debate over which curves should be supported. * A push to limit the complexity and scope to encourage interoperability, while still allowing for extensions. * **AEAD Algorithms (Roka-S and Chacha20-Poly1305):** * Presentation of new parallel modes for Roka-S for performance improvement. * Proposal to update Chacha20-Poly1305 for enhanced security and performance using Poly 1.1, to include other properties defined in RFC 9771 * **Post-Quantum PAKEs:** * Presentation of a hybrid post-quantum password authenticated key exchange (PAKE) protocol named Spacequake. * Considered the interest in the protocol, and if it should be handled in CFRG or a seperate IETF working group. ## Decisions and Action Items * **Virtual Interim Meeting:** The Chairs will take to the list the suggestion to have a virtual interim meeting in September to move the Hybrid KEM draft along. * **Meta-Analysis Draft:** There was not anyone at the meeting, but the Chairs are open to the list suggesting someone who will perform a meta-analysis comparing the security reductions and proofs of different candidate KEMs. ## Next Steps * Authors of hybrid KEM drafts to address feedback from the list and meeting, and aim for a new draft version within a month. * The list to determine the next steps of the post quantum KEM suggestions. * Authors to refine draft for Sigma Protocols following the feedback. * Take feedback from the discussion to the list to determine interest in a work item for post-quantum PAKEs