Markdown Version | Transcript | Recording 1 | Recording 2 | Session Materials

Session Date/Time: 17 Mar 2026 03:30

CFRG

Summary

The Crypto Forum Research Group (CFRG) met at IETF 125 to discuss the status of active research group documents, the proposed path forward for Post-Quantum (PQ) Key Encapsulation Mechanisms (KEMs), updates on zero-knowledge proof specifications, the impact of AI features on end-to-end encryption (E2EE), and a proposed "Two-Lane Model" for standardizing cryptography within the IETF. Key outcomes included a call for security evaluation documents for PQ KEMs and an announcement regarding the upcoming rotation of the Crypto Review Panel.

Key Discussion Points

Research Group Status

• Recent RFCs & Queue: No new RFCs since November. draft-irtf-cfrg-cpace and RSA guidance are in IRSG review; AEGIS (draft-irtf-cfrg-aead-aegis-256) is in the RFC Editor queue.
• Last Calls: Research Group Last Call (RGLC) is active for draft-irtf-cfrg-aead-limits (AD limits) and draft-irtf-cfrg-hpke-dnhpke. Chairs emphasized the importance of finishing the AD limits document to address generic AEAD questions before adopting new AEAD work.
• Active Work: There are 13 active drafts. Notably, draft-irtf-cfrg-pairing-friendly-curves has been reactivated. Richard Barnes noted that new versions of the hybrid KEM documents include updated security proofs and requested further review.
• Crypto Review Panel: A rotation of the nine-member panel is scheduled for April. A call for nominations (including self-nominations) will be issued then.

Post-Quantum KEMs

• Presentation: PQ KEMs (Nick Sullivan)
• Proposed Strategy: Rather than specifying multiple PQ KEMs, the chairs proposed adopting a group of "Security Considerations" documents. This follows a suggestion from IETF 123.
• Criteria: Documents must provide comprehensive security evaluations (similar to the individual draft by Scott Fluhrer regarding ML-KEM). Only KEMs that have undergone extensive public cryptanalysis will be considered.
• Discussion:
  • Eric Rescorla asked how IETF Working Groups (like TLS) should interpret these documents (e.g., as an endorsement or just a list of risks).
  • Deirdre Connolly suggested that picking a document for work acts as a de facto signal of importance.
  • Russ Housley (LAMPS Chair) expressed concern that IETF WGs need "approved" algorithms to meet charter requirements, and "security considerations" might not satisfy that need.
  • Scott Fluhrer clarified that his draft focused on how to use ML-KEM without "shooting yourself in the foot" rather than proving its underlying hardness.

Sigma Protocols and Fiat-Shamir

• Presentation: Sigma Protocols and Fiat-Shamir (Michele Orrù)
• Status: Work continues on draft-irtf-cfrg-sigma-protocols and draft-irtf-cfrg-fiat-shamir-zkp.
• Updates: Added test vectors, cipher suites, and initiated formal verification efforts. These components are being used in privacy-preserving technologies like BBS signatures and anonymous credentials.
• Goal: Converge on a single specification for these components to be reused across different IETF applications (e.g., rate limiting, pseudonym authentication).

E2EE and AI

• Presentation: How to Think about E2EE and AI (Mallory Knodel)
• Research: Analyzed AI features (like summarization) in E2EE apps (WhatsApp, Apple Intelligence).
• Key Findings:
  • Training shared AI models on E2EE content is incompatible with E2EE.
  • Trusted Execution Environments (TEEs) in the cloud protect the compute, but do not provide the same confidentiality guarantees as E2EE, which protects the communication between endpoints.
  • Recommendation: Focus on on-device processing or use of Fully Homomorphic Encryption (FHE) for processing without decryption, though FHE remains computationally expensive.

Two-Lane Model for Crypto Standardization

• Presentation: Two-Lane Model (Nick Sullivan)
• Proposal: A BCP-style document (draft-sullivan-cfrg-two-lane-model) to clarify the relationship between CFRG and IETF Working Groups.
• The Model:
  • Cryptographic Foundation (CFRG/Research Layer): Mechanism specification, security considerations, and test vectors. No IANA registries or wire formats.
  • Standards Layer (IETF Working Group): Wire formats, code points, IANA registries, and protocol profiles.
• Goal: Prevent "bikeshedding" and fragmentation where different WGs implement slightly different versions of the same primitive.
• Examples: Privacy Pass (VOPRF in CFRG, protocol in WG) and HPKE (primitive in CFRG, now moving toward a dedicated WG for profiling).

Decisions and Action Items

• PQ KEM Window: Proponents of specific PQ KEMs (NTRU, Classic McEliece, FrodoKEM, etc.) have six weeks to submit security consideration/evaluation drafts to the CFRG for consideration.
• Crypto Review Panel: Call for nominations to be sent to the mailing list in April.

Next Steps

• Two-Lane Model: The discussion on the "Two-Lane Model" was truncated due to time and will be the first item on the agenda for the Thursday session (10 minutes allocated).
• AD Limits: Participants are urged to review and comment on draft-irtf-cfrg-aead-limits to allow the chairs to conclude the RGLC.

Session Date/Time: 19 Mar 2026 01:00

CFRG

Summary

The Crypto Forum Research Group (CFRG) met at IETF 125 to discuss a broad range of cryptographic primitives and their applications within IETF protocols. Key themes included the ongoing migration to post-quantum (PQ) cryptography, specifically focusing on compact alternatives to ML-KEM, hybrid signature constructions, and security considerations for ML-DSA. The session also explored advanced topics such as Zero-Knowledge (ZK) proofs for identity, Fully Homomorphic Encryption (FHE), and remote key generation algorithms.

Key Discussion Points

Two-lane model

• Presenter: Nick Sullivan
• Discussion: Nick Sullivan presented a proposed Best Current Practice (BCP) for how the IETF and CFRG should handle the standardization of cryptographic primitives. The "two-lane" model suggests that for primitives needed by three or more working groups (e.g., ML-KEM for TLS, MLS, and JOSE), a dedicated working group should be formed to handle code points and parameterization, while CFRG provides the underlying security analysis.
• Q&A: Eric Rescorla (ekr) sought clarification on how this model distinguishes between assessing a primitive's internal security and providing guidance on its protocol-level "shape." Nick Sullivan noted that for non-standardized primitives (like NTRU), the Crypto Review Panel would play a larger role in assessing safety before protocol adoption.

Longfellow ZK

• Presenter: Abhi Shelat
• Discussion: This work addresses the need for ZK proofs in identity systems (e.g., proving age > 18) without leaking metadata or using "super-cookies" common in SD-JWT or mDL. Longfellow is post-quantum secure, relying only on SHA-256. Recent benchmarks show it can prove possession of an ML-DSA-44 signature in ~850ms on mobile devices.
• Q&A: Bas Westerbaan inquired about comparisons to VOLE-in-the-head; Abhi Shelat argued Longfellow scales better for larger circuits due to sumcheck techniques. Eric Rescorla noted that sub-second performance is sufficient for most age-verification use cases and asked about supporting complex predicates.

NTRU based Public Key Encryption

• Presenter: Yizhen
• Discussion: The presenters introduced "Dawn," a compact NTRU-based PKE. They argued that while ML-KEM is the current standard, its size (>1000 bytes) can cause IP fragmentation in protocols like IKEv2. Dawn offers a ~30% reduction in size compared to ML-KEM-768/1024.
• Q&A: Bas Westerbaan and John Mattsson emphasized that while the performance is promising, the scheme needs more "bake time" and analysis before deployment. Nick Sullivan asked if the authors would contribute a security considerations draft for this family of KEMs.

Recent Advances in Fully Homomorphic Encryption

• Presenter: Senhui
• Discussion: An overview of FHE progress, noting that bootstrapping is now orders of magnitude faster than in 2009. Current work focuses on "transciphering" (converting symmetric ciphertext to FHE ciphertext) to reduce communication overhead.
• Q&A: Stanislav Smyshlyaev (Chair) requested the authors bring specific use cases to the mailing list to determine if there is sufficient IETF/IRTF demand to justify a dedicated research effort.

Low-latency PQ authentication

• Presenter: Xingshu
• Discussion: "Luma" targets cloud/data center environments where low latency is critical. It uses an online-offline signature paradigm (combining Dilithium with WOTS+) to move heavy PQ computations off the critical path.
• Q&A: Andre Popov (Microsoft) questioned why this is preferred over externally provisioned Pre-Shared Keys (PSK) in TLS. Xingshu clarified that Luma is intended for full handshakes between peers that may not have pre-existing shared secrets but have access to a key distribution service.

HMAC Based Key Combiners for Multiple Keys

• Presenter: Guilin Wang
• Discussion: Presentation of HKCV1 and HKCV2 for combining multiple keys (e.g., in hybrid PQ/Classical key exchanges). The authors presented performance data comparing their HMAC-based approach to NIST and ETSI standards.
• Q&A: Deirdre Connolly requested that the authors provide publicly available proofs (e.g., on ePrint) and clarify the specific security properties (e.g., IND-CCA) they aim to achieve. Scott Fluhrer suggested considering SHAKE/XOFs over HMAC to avoid counter-based constructions.

Hybrid Digital Signatures with Strong Unforgeability (Presented as Hybrid Signatures)

• Presenter: Lucas Prebell
• Discussion: Discussion of draft-prebell-cfrg-hybrid-signatures, focusing on achieving Strong Unforgeability (SUF-CMA). The draft proposes a black-box construction (signing the message concatenated with the first signature) and a non-black-box Fiat-Shamir construction.
• Q&A: Scott Fluhrer expressed a strong preference for black-box constructions to avoid the risks of modifying internal PQ algorithm logic.

The Asynchronous Remote Key Generation (ARKG) algorithm

• Presenter: Emil Lundberg
• Discussion: Presentation of draft-lundberg-cfrg-arkg. ARKG allows a client to derive an unlimited number of public keys from a single "seed" without further interaction with a hardware security module (HSM), while the HSM can still derive the corresponding private keys. Use cases include EUDI wallets and batch-issued single-use keys.

Relay Attacks

• Presenter: Usama
• Discussion: Analysis of remote attestation within TLS. The presenter argued that "intra-handshake" attestation is vulnerable to relay attacks and proposed using post-handshake attestation (bound to TLS exporters via RFC 9261) to ensure the evidence is tied to a fully authenticated connection.
• Q&A: Usama requested guidance on whether symbolic analysis (ProVerif) is sufficient or if the group recommends computational proofs (CryptoVerif).

Decisions and Action Items

• ML-DSA Security Considerations: Deirdre Connolly announced the publication of draft-connolly-cfrg-mldsa-security-considerations.
• Crypto Review Panel: Stanislav Smyshlyaev announced a call for nominations for the Crypto Review Panel rotation starting in approximately one month.

Next Steps

• FHE Discussion: Authors to post specific IETF-relevant use cases for FHE to the mailing list to gauge interest.
• NTRU/Dawn: Authors to consider writing a security considerations draft for NTRU-based KEMs as part of the broader PQ KEM analysis effort in CFRG.
• ARKG: The chairs noted the author's interest in working group adoption; discussion to continue on the mailing list.
• Key Combiners: Authors of the HMAC combiner draft to provide formal proof links and address security property clarifications on the list.

Related Documents

draft-connolly-cfrg-mldsa-security-considerations, draft-irtf-cfrg-aead-aegis-256, draft-irtf-cfrg-aead-limits, draft-irtf-cfrg-cpace, draft-irtf-cfrg-fiat-shamir-zkp, draft-irtf-cfrg-hpke-dnhpke, draft-irtf-cfrg-pairing-friendly-curves, draft-irtf-cfrg-sigma-protocols, draft-lundberg-cfrg-arkg, draft-prebell-cfrg-hybrid-signatures, draft-sullivan-cfrg-two-lane-model