►
From YouTube: IETF115-CFRG-20221107-0930
Description
CFRG meeting session at IETF115
2022/11/07 0930
https://datatracker.ietf.org/meeting/115/proceedings/
A
A
A
Good
morning
this
is
cfrg
session
today,
I'm,
the
only
chair,
so
I'm,
I'm
being
slightly
disorganized
and
my
slides
haven't
uploaded
into
the
online
deck.
So
I'm,
just
trying
to
figure
out
so
just
give
me
two
minutes
and
then
we'll
get
started.
A
A
C
D
A
A
A
All
right,
good
morning
again
welcome
to
London
and
to
the
cfrg
session
I'm
one
of
your
three
co-chairs,
the
only
one
present
in
London
this
time.
A
F
A
Okay,
so
we
have
minutes
being
taken
in
the
notes
and
on
the
notes,
page.
A
If
this
is
your
first
ATF,
then
please
make
sure
that
you,
you
know
the
note
well
and.
A
And
just
a
reminder,
so
this
is
our
irtf
session.
Where
we
we
conduct
research,
we
don't
really
do
standards.
Sometimes
they
get.
Cfrg
is
a
bit
unusual
because
they
get
used
by
iitf
quite
a
bit,
but
icfrg
can
do
some
more
experimental
stuff
and
work
on
documents
that
are
not
necessarily
applicable
to
ITF
right
away.
A
So
this
is
our
agenda.
You
can
see
it's
quite
light,
so
we
asked
for
two
hours,
but
we
have
about
one
hour.
Any
agenda
bashing.
A
A
A
Cfrg
has
to
curve
is
now
in
our
accelerator's
queue.
Vrf
document
is
ni
pending
isg
review.
We
are
not
waiting
for
irtf
chair
for
anything.
At
the
moment
we
have
several
documents
in
research
group
plus
call
we
have
restrato.
The
second
last
call
is
because
the
first
one
in
June
had
no
feedback.
A
A
And
as
it
happened,
this
is
an
older
version
of
my
slides,
so
we
we
actually
have
a
couple
of
more
documents
in.
A
In
last
call
RSA,
Bland
signature
is
also
in
last
call
and
the
Opera
in
research
group
was
called.
We
have.
A
Several
documents
recently
adopted
after
the
last
ITF
meeting
yeah,
so
we
have
three
documents:
deterministic
signatures
with
noise
had
this
somewhat
interesting
history,
so
we
had
to
do
second
last
call
to
ask
about
third-party
IPR,
but
this
is
finally
adopted
and
we
have
also
I
guess:
family
Authentication,
encryption,
algorithm
and
VBS
signatures.
A
All
right
with
this
I
think
we
can
start
of
various
presentations.
H
G
E
G
G
Cool,
so
this
is
just
a
bit
of
an
update
and
a
recap,
so
BBS
signatures
is
presented
in
itf414
is
a
multi-message
digital
signature,
supporting
zero
knowledge,
proofs
proof
of
knowledge
of
the
signature
and
selective
disclosure
of
the
signed
message
set.
Just
checking
that
you
can
hear
me
all
right.
G
Sorry
Alexa,
you
can,
are
you
able
to
hear
me?
Okay,.
G
Okay,
thanks
so
a
bit
of
a
bit
of
a
recap
on
some
of
the
cool
properties
in
a
little
bit
more
detail,
the
sign
it
can
sign
a
multiple
model
set
of
me,
a
set
of
multiple
messages
and
a
header
producing
a
fixed
or
constant
sized
output,
signature,
approver
and
position
of
a
signature
and
the
set
of
messages
and
head
assigned
can
then
generate
a
randomized
proof
over
them
in
the
verify.
G
G
G
No
other
information
is
really
approved,
so
the
proofs
are
said
to
be
unlinkable
because
the
signature
which
is
fixed
as
as
issued,
is
unrevealed
next
slide.
Please.
G
This
is
just
a
quick
recap
on
some
of
the
performance
metrics
that
we
shared
at
last
iew.
Sorry,
ietf,
114,
meeting
the
benchmarks
of
the
various
operations
I'm
running
on
a
spec
MacBook
Pro
is
revealed
there
with
a
50
disclosure
rate
of
the
messages
and
the
generated
proofs
next
slide.
Please
so
just
a
bit
of
a
status
update
since
since
ietf
on
114
the
draft's
been
adopted.
So
we're
now
now
formally
adopted
as
a
work
item.
G
There
have
been
multiple
reference
implementations
of
the
specifications
since
then
I
think
we
have
three
or
four
interoperable
implementations
with
the
current
published
draft
and
there's
also
some
new
academic
work
going
in
looking
at
the
security
properties
and
potentially
offering
some
efficiencies
that
we're
keeping
an
eye
on
next
slide.
Please
I
feel
success
updated
last
time
when
we
presented
the
work
originally
in
itf114
and
we
had
the
concept
of
Cipher
Suites
and
the
spec,
but
we
only
had
one
Cipher
Suite
defined.
G
However,
through
working
group
meetings,
subsequently,
we've
decided
to
implement
a
second
cipher
Suite
that
uses
a
an
alternative
digest
algorithm
still
based
on
the
BLS
1231
curve.
So
we
now
have
two
Cipher
Suites
one
using
Shake
256
and
the
other
using
South
56.
next
slide.
G
Yeah,
so
as
as
I
as
as
a
as
she
just
spoke
ahead
of
the
slide
there.
The
reason
for
doing
so
is
because
of
the
predominance
of
the
hash
to
curve
implementations,
specifically
over
the
BLS
12381
curve.
G
G
Foreign
status
update
as
well
on
the
signature
test
vectors.
We
have
updated
these
in
the
specification
to
promote
interoperable
implementations.
G
G
Next
slide,
the
the
reason
for
that
is,
we're
still
sort
of
reviewing
some
proposals
around
the
proof
fixtures,
because
the
proofs
by
Nature
are
randomized,
which
is,
as
it
can
be,
a
challenge
for
interoperability,
testing
having
to
seed
RNG
all
the
likes,
so
we're
still
considering
different
strategies
that
might
improve
this.
G
And
lastly,
one
of
the
issues
we've
been
considering
quite
closely
is
how
we
use
the
expand
to
expand
message,
function
and
hashtagiv,
which
is
for
us
at
the
moment
creating
an
upper
limit
on
the
number
of
messages
that
we're
able
to
sign
and
we're
currently
Limited
at
13
165
messages.
But
we
have
a
couple
of
different
solutions
that
we
are
working
through,
that
have
different
trade-offs,
Associated
to
them,
and
just
to
go
out
to
to
thank
red
who
offered
some
advice
on
the
solution
possible
solutions
to
this
problem.
G
So
the
next
steps
from
here
is
we
can
continue
to
work
with
some
of
the
new
academic
work
that
we
see
emerging
around
the
scheme
and
use
that
to
take
take
advantage
of
any
further
performance
or
security
improvements,
add-ins
and
proof
test
vectors
apply.
Some
suggested
updates
that
are
pending
from
implementers
of
the
scheme
in
in
further
refine.
Some
of
the
editorial
notes
in
the
scheme
and
requests
by
the
review,
and
that's
it.
G
B
For
like
and
commenting
on,
the
jwp
boss,
that
was
done
over
in
the
Jose,
because
I
found
this
the
strap
really
critical
to
understanding
the
general
shape
of
BBS,
because,
despite
the
the
use
of
signature
in
the
Navy,
really
is
quite
a
different,
primitive
than
your
your
generic
signature,
primitive,
especially
when
it
comes
to
kind
of
how
it
gets
used
in
in
practice.
B
So
I
think
this
is.
This
is
a
really
handy
draft
to
have
around
look
forward
to
the
future
work
on
this.
Just
one
quick
question
for
you
to
be
honest.
You
mentioned
other
curve
and
other
kind
of
Suites
to
go
with
this.
Can
you
comment
on
kind
of
post,
Quantum
security
and
whether
there
are
those
Quantum
options
for
this
protocol.
G
Yeah,
so
thanks
Richard,
so
the
construction,
The
Cypher,
Suite
abstraction
layer
requires
two
kind
of
Key
Properties
as
inputs.
One
is
a
digest
algorithm
and
another
is
an
appropriate
curve.
G
The
curves
themselves
have
to
be
what
is
said
to
be
peering
friendly
in
nature,
to
a
specific
type
of
peering,
as
well
so
I'm,
given
that
many
post,
Quantum
Primitives
and
even
based
on
elliptic
curves
mapping,
conceptually
to
the
concept
of
hearings,
is
quite
different,
so
we
continue
to
sort
of
look
generally
around
the
kind
of
equivalents
and
properties,
but
personally
haven't
haven't
encountered
equivalence.
Yet,
okay,.
C
I
Yeah
Michael
purak
here
thanks
to
bias
for
this
work.
This
is
excellent
following
it
closely.
Obviously,
though,
probably
not
commenting
as
much
as
I
should
or
would
like
to
just
a
question
on
leanings
around
the
expansion
problem.
I
understand
like
with
option
one
you're
calling
out
some
additional
complexity.
However,
that
kind
of
is
my
read
correct
that
that
gives
us
more
or
less
an
unbounded
space
if
we
need
to
sign
an
indefinite
number
of
messages
for
some
reason,.
G
And
that
we're
proposing
is
2
to
the
48
effectively
number
of
messages
so
still
finite,
but
you
know
effectively
for
most
implementations:
yeah,
okay,
reasonable
up,
abound.
I
Cool
I,
have
you
looked
at
all
I
know
like
lebuchovsky
and
some
of
the
other
stuff
going
on
around
lattices
and
zero
knowledge,
selective
disclosure
type
properties.
Have
you
evaluated
any
of
that
stuff
at
all
from
I
know,
the
question
came
up
on
post
Quantum.
I
Obviously,
and
there
are
some
interesting
developments
that
are
obviously
still
way
too
early
for
any
practical
implementations
yet,
but
is
that
the
kind
of
thing
you
possibly
see
as
a
you
know
comparative
type
of
approach
as
opposed
to
a
pairing
approach,
but
would
have
similar
structures
as
far
as
schemes,
and
you
know
providing
a
mechanism
for
like
multiple
keys
and
multiple
parties.
The
way
we
see
with
BBs.
G
Yeah,
certainly
certainly
an
active
area
of
Interest.
We
haven't.
We
haven't
formally
looked
at
the
work
but
I'm
very
keen
to
sort
of
follow,
along
with
the
developments
and
look
for
equivalent
properties,
as
those
New
Primitives
and
approaches
emerge.
A
All
right,
so
next
in
is
Andre
boschko
is
going
to
talk
about
classification
of
ieg
properties.
A
A
C
Good
morning,
everyone,
my
name-
is
ante
Bosco
and
today
I'm,
going
to
talk
about
drafting
properties
of
AD
algorithms.
Well,
next
slide,
please,
okay.
It
has
always
been
a
hot
topic
for
discussion
in
the
cf1g
and
well.
The
motivation
for
most
of
this
discussion
is
the
fact
that
we
have
want
to
have
some
algorithm
or
algorithms
standardized
for
what
you
use.
C
However,
it
was
noticed
in
one
of
the
most
detailed
discussion
on
the
topic,
some
citations,
from
which
you
can
see
on
the
slide
that
it
isn't
exactly
clear
by
visual
criteria
to
choose,
because
there
are
a
lot
of
properties
use
cases
and
how
some
of
these
properties
May
contradict
the
channel.
So
apparel
is
a
problem,
in
fact,
with
a
field
getting
really
enhanced,
it
seems
like
the
level
of
understanding
and
structure,
is
decreasing.
C
I've
held
motivated
pie
of
his
discussion,
I
decided
to
contribute
to
a
problem
a
little
by
approaching
properties
of
at
algorithm.
Next
slide,
please,
and
actually,
apparently,
a
lot
of
them
like
on
the
slide.
You
can
see
a
fraction
of
a
fraction
of
these
properties,
and
the
problem
we
have
is
that
how
different
researchers
may
use
different
language
different
terms,
different
ways
of
the
finding
these
properties
and
if
I
even
use,
may
use
different
names
for
the
same
property?
C
Surely
I've
had
leads
to
a
lot
of
misunderstanding
between,
like
everyone
between
protocol
designers,
between
albuterine
designers
between
implementers,
so
it
seems
like
we
need
a
more
structure.
Next
slide.
Please,
for
pain
idea
is
to
collect
all
well-known
properties
to
something
like
at
least
property
vocabulary
where
for
each
property
of
have
would
be
a
definition,
a
cinnamon
some
example
of
some
argumentative
examples.
A
few
reading
notes
and
well
one
of
the
most
important
functional
applications
or
how
fat
property
can
contribute
to
the
higher
level
protocols
and
applications.
C
However,
it
was
noticed
in
the
discussion
with
Chris
Wood.
Had
such
a
vocabulary
won't
actually
be
useful
for
one
of
the
crews
for
protocol
designers,
so
Financial
is
how
to
make
it
useful
for
them
to
next
slide.
Please,
and
the
current
idea
is
to
provide
something
like
a
reverse
mapping
from
functional
applications,
functional
requirements
to
the
properties
which
are
implied
by
fam,
about,
for
example,
if
protocol
design
and
hosts
have
had
his
protocol
is
to
be
used
on
virtual
machines.
C
The
randomness
can
be
repeated,
so
he
opens
the
shafts,
looks
for
that
application
and
understand
he
needs
nozbe's
use
resistance,
just
like,
for
example,
next
slide.
Please,
yes,.
C
At
the
moment,
in
the
Persians
who've
won,
I
have
called
something
like
around
20
properties,
for
which
of
him
the
first
version
high
level
definitions
for
given
some
synonyms
a
few
readings.
The
first
notion
is
like
a
proof
of
concept
like
a
starting
point
for
the
discussion
of
a
problem
next
slide
in
the
next
question:
how
I'm
going
to
access
new
ideas
and
issues
which
emerged
in
the
discussion
with
Christopher
wood
first
of
them,
is
to
solve
the
issue
Viva
interfaces
of
a18.
C
It
is
a
really
interesting
issue,
because
some
properties
imply
non-standard
interfaces
and
it
is
not
really
easy
to
tackle.
The
next
one
is
to
improve
the
classification,
because
I
feel
like
at
this
moment.
It
isn't
really
good
and
the
most
important
points
are
to
add
first
functional
applications
and
add
new
properties.
Hello
next
slide,
please.
C
Finally,
I
have
several
questions
like
call
for
help,
for
the
cflg
first
of
all
is
to
the
need
such
document.
Well.
Do
you
find
it
to
be
helpful
who
it
contribute
to
the
cost?
And
secondly,
I
would
really
like
to
hear
if
you
find
some
properties
which
are
necessary
to
be
covered
and
applications.
I
feel
be
really
glad
to
hear
from
you
on
the
meta.
Well,
that's
how
I
am
also
will
be
very
happy
to
answer
your
questions.
J
C
It
tells
it
is
a
really
huge
issue.
I
I,
don't
have
like
a
approach
for
all
about
of
the
made-up
approach.
However,
I
think
it
is
why
we
need
to
discuss
these
properties.
This
is
why
we
have
to
understand,
for
which
properties
it
is
the
issue
and
I'll
discuss,
which
definition
we
find
more
useful,
more
easy
to
understand
and
have
a
more
like
applicable
for
high
level
protocols.
A
Sorry,
just
a
quick
reminder,
even
if
you're
local
in
the
you
know
attending
physically,
please
try
to
join
the
queue
through
the
app
saying
you
know
so
that
I
can
manage
the
queue
Paul.
H
Yeah
Paul
artist,
so
with
my
security
ad
hat
on
I
would
want
to
answer
your
first
question,
which
is
yes.
I,
would
definitely
like
to
see
this
document.
Thank
you
all
right.
A
All
right,
I
think
at
this
point
we're
not
asking
about
adoption.
This
is
very
early
on.
This
is
more
for
people
to
be
aware
that
there
is
a
draft
and
have
a
read
comment,
contribute
and
then
we'll
discuss.
Probably
you
know
and
the
following
cfrgo,
yes
sure
so.
K
One
small
command
to
send
a
message
to
the
list
to
take
some
attention
to
the
draft
and
then,
after
some
possible
discussion
in
the
list,
it
may
be
possible
to
ask
us
the
chairs
for
an
adoption
code.
After
some
preliminary
discussion
takes
place.
C
H
F
Thank
you
very
much.
My
name
Isaac
speak
up
a
bit,
it
is
working.
Is
it
I
think
so?
Okay,
okay,
thank
you.
So
my
name
is
I'd
like
to
present
the
encryption
algorithm
called
rock
is
draft
is
available
as
showing
this
side.
So
could
you
go
to
the
next
slide
please.
F
So
the
background
is
that
the
internet
speed
is
increasing
and
some
new
Services
has
been
considered,
such
as
holography
or
digital
twin,
and
some
of
these
new
Services
require
much
more
higher
data
rate
and,
for
example,
100
gigabs
are
required
and
in
order
to
realize
these
Services
very
securely
high
security,
encryption
arguing
with
a
very
high
speed
performance
is
required
and
well
guys
is
the
encryption
new
encryption
algorithm
that
satisfied
these
two
requirements
and
it
can
provide
256-bit
security
and
achieve
more
than
200
gigabies
with
the
performance
next
slide.
Please.
F
So
the
design
of
the
rock
is
is
based
on
the
sponge
construction
and
takes
256-bit
key
and
generator
56-bit
time
for
the
message,
authentication
and
it
supports
three
modes.
One
is
the
authenticated
encryption
with
Associated
data
AED
and
encryption
only
mode
and
key
stream
generation
mode,
and
for
the
security
we
claim
256,
big
security
against
key
recovery
and
forgery
attacks
in
the
nonce,
respecting
settings
and
for
the
performance.
F
The
performance
is
one
of
the
biggest
advantage
of
the
Roka
s
and
as
far
as
we
know,
it
is
a
fast
algorithm
that
exceeded
200
gigabits
in
the
software
environment
and
in
the
encryption
memory
mode
it
can
achieves
230
gigabs
or
the
0.1
to
do
Cycles
or
byte
and
in
aead
mode
how
it
can
achieve
205
gigabs
X
like
this.
F
Now
this
is
the
as
run.
Function
can
be
performed
very
well
in
the
modern
CPU
thanks
to
the
asni
or
the
similar
instruction
set.
That
is
available
on
many
modern
CPUs
and
our
next
slide.
F
Please,
and
with
that
run
function
the
road
guys
has
four
phases:
initialization
and
process
in
associate
data,
encryption
and
finalization,
and
in
the
initialization
phase,
internal
state
will
be
initialized
with
our
key
nouns
and
constant
and
apply
run
function
16
times
and
after
the
16
rounds
of
the
initialization
key
will
be
feed
forwarded
into
the
internal
State
again
and
for
if
there
is
any
Associated
data,
the
associated
data
will
be
processed
and
then
the
message
will
be
encrypted
in
the
encryption
phase
and
after
the
encryption
phase,
key
is
again
feel
forwarded
into
the
internal
State
and
apply
16
times
of
the
round
function,
to
generate
a
tug
for
the
message.
F
Authentication
next
slide,
please
so
the
rocker
s
supports
three
moves.
The
first
one
is
AEG
and
in
AED
mode
the
encryption
and
message
authentication
can
be
provided
at
the
same
time
for
the
parent
text
and
Associated
data
and
in
the
second
mode,
is
the
encryption
only
mode
and
the
encryption
only
mode
messages
input
into
the
internal
state
of
the
algorithm.
So
the
decryption
will
fail.
F
If
there
is
any
error
in
the
ciphertext
and
the
last
mode
is
the
keystream
generation
mode
and
unlike
the
encryption
only
mode,
there
will
be
no
message
into
the
internal
state.
So
even
if
there
is
an
error
in
the
ciphertext,
plain
text
can
be
recovered
or
except,
of
course,
these
bits
with
lrs
next
slide
space
so
for
the
security
requiring
256-bit
security
against
key
recovery
attacks
and
Forestry
attacks
in
the
nonce
respecting
settings
and
the
bottom
half
shows
the
brief
summary
of
the
security
variation.
F
The
first
one
is
the
the
lower
amount
of
the
number
of
update
best
boxes
in
the
initialization
phase,
and
in
order
to
provide
256-bit
security,
we
need
at
least
43
of
the
best
boxes,
and
has
this
table
shows
after
five
rounds.
The
active
number
of
adaptive
Xbox
is
are
exceed
40.
Three,
and
actually
68.
F
is
the
number
of
the
octopus
box,
and
so
there
is
enough
number
of
the
arctic-based
boxes
to
offer
to
56-bit
security
and
also
there
is
16
rounds
in
total,
so
there
are
pretty
much
the
security
margin
for
against
the
key
recovery
attacks.
F
The
second
one
is
the
security
variation
against
the
forgery
and
also
we
need
at
least
43
active
best
boxes,
and
we
confirmed
that
we
have
46
October
Xboxes
for
the
4G
attacks
as
well,
so
256-bit
security
can
be
provided
next
slide
please.
F
So
this
is
the
result
of
the
performance
evaluation
in
aead
mode,
and
we
use
the
open,
SSL
speed
command,
to
evaluate
the
speed
and
on
the
Intel
Core
I9
of
900k,
and
compare
the
performance
with
our
AES
and
the
graph
shows
the
third
pitch
when
we
change
the
message
size
from
16
kilobyte
to
1024
bytes,
and
when
the
message
size
is
16
kilobytes,
the
local
is
performed
205
gigabit
bits
while,
as
is
around
60.
so
more
than
three
times
faster
than
the
AES
in
zcm
mode.
F
Okay,
all
right
next
slide,
please.
So
this
is
the
conclusion,
so
we
I
present
the
increase
on
algorithms.
F
It
can
provide
to
56-bit
security
against
key
recovery
and
forgery
attacks
and
can
perform
very
well
on
one
of
our
PC
and
our
exceed
200
Giga
BPS
and
support
three
mode
or
aad
incubation
only
and
key
stream
generation,
and
we
do
not
claim
any
intellectual
property
rights
and
there
are
no
restrictions
to
use
and
hoping
that
this
algorithm
can
be
adopted
in
many
environments
and
also
we
are
planning
to
provide
the
implementation
of
the
algorithm
for
open,
SSL
and
GitHub.
And
yes,
that's
all.
Thank
you
very
much.
A
Thank
you
very
much.
Any
questions.
A
D
Thank
you
very
much
for
the
next
presentation
with
a
test
on
a
single
world.
Could
they
use
multiple
cores
on
the
Intel
processor.
F
Sorry,
I
cannot
hear
you
very
well,
did
you
say,
did
I
use
multi-core
in
the
variation.
F
So
I'll
use
the
open,
SSO,
speed
command
and
the
16
bytes
of
the
data
is
encrypted
in
three
seconds
and
calculated
how
many
bytes
are
encrypted
in
the
three
seconds
and
dividing
by
three
we
get
the
how
many
gigabits
are
processed
during
one.
Second.
A
L
F
L
F
F
I
think
the
analysis
of
raw
guys
in
in
some
level
can
be
applied
to
the
analysis
of
AES,
because
we
share
the
same
round
function.
So,
if
that
analysis
against
rockers
use
the
analysis
of
the
as
round
function
then
affect
the
analysis
of
the
as
well
all
right.
Thank
you.
Thank
you
all
right.
E
On
you
want
me
to
drive
slides
as
well,
yeah.
M
Yes,
thank
you.
These
are
a
few
brief
comments
based
on
a
new
draft.
We
have
we're
implementing,
showing
how
to
implement
and
true
now.
The
obvious
question
is
why
we
already
have
a
post
Quantum
key
exchange.
Why
do
we
need
a
second
one?
M
The
reason
is
that
kyber
has
some
plausible
Clinton
patent
claims
and,
while
nist
is
actually
working
with
the
patent
holders,
they
have
not
just
disclosed
the
agreements,
and
so
we
do
not
know
if
they
will
be
acceptable
to
everybody,
and
this
draft
is
here
just
in
case
wow.
M
It's
there
are
some
people
say
like
the
free
software,
Foundation
or
maybe
Cisco,
which
can't
next
slide,
and
why
is
it
and
true,
as
opposed
to
like
bike
or
hqc
well
and
true,
is,
is
believed
to
be
secure
as
curious
as
kyber
Nissan
miss
that
this
actually
lists
the
intro
is
a
backup
plan
just
in
case
it
cannot
get
a
disagreements
in
time
and
it
performs
fairly
well,
it's
not
quite
as
good
as
in
as
as
kyber
at
in
in
terms
of
key
generation,
but
still
it's
not
that
bad
and
and
since
it's
you
have
CCA
security.
M
If
you
had
to,
you
could
actually
you'd
do
use
a
single
key
exchange,
a
key
generation
for
mobile
key
exchanges.
So
it's
tolerable
and
also
best
thing-
is
it's
known
to
be
patent
free
because
all
the
entry
pads
have
expired,
and
that
is
the
and
of
the
post
Quantum
algorithms.
Only
that
and
true
and
michaleese
has
that
property
and
michaleese
Camp
is
not
usable.
Okay.
Okay!
M
M
Nist
is
not
going
to
come
up
with
some
nice
stud
definition
of
it,
and
it's
certainly
not
going
to
produce
these
test
vectors.
So
we're
going
to
have
to
do
all
that
work.
We're
also
following
the
entry
round
three
submission,
because
that's
the
latest
and
that's
probably
going
to
be
the
the
last
one.
The
other
goal
is
to
to
explain
things
in
a
way
which
is
accessible
to
Engineers.
The
round
three
submission
has
this
nice
description,
but
it's
targeted
towards
mathematicians
and
cryptographers.
M
M
Now
one
last
slide
the
questions
I
have
for
the
research
group.
Do
you
agree
with
this
General
approach?
Until
we
see
the
licensing
agreements,
it's
just
saying,
kyber
solution
is
not
is
not
enough
now.
My
hope
is
that
those
agreements
be
perfectly
acceptable
to
everybody,
and
this
this
graph
can
just
die
I
can't
you
can't
depend
on
it
that
much
so
if
any,
this
does
people
have
any
questions
about
any
issues
with.
What's
in
the
draft,
do
they
find
things
which
are
missing?
Obviously,
we
need
test
vectors.
J
N
I'm
Quinn
dang
at
nist,
I,
don't
have
a
comment
but
I
have
something
to
share
our
agreements
with
the
two
patent
holders
have
been
signed
and
we
are
in
the
process
of
getting
approval
to
release
detail
to
the
public,
and
we
strongly
expect
it
it
to
happen
this
month
and
I
I'm
not
allowed
to
talk
about
the
details
right
now,
but
order
I
have
known.
It
looks
pretty
good.
M
Yeah
until
we
see
the
agreements
and
put
them
in
front
of
lawyers,
this
I
see
this
work
is
still
necessary.
I
Yeah
Scott
thanks
for
suggesting
this
at
114
here
the
and
then
you
know,
following
through
obviously
pretty
rapidly
on
this,
so
really
appreciate
the
work
on
that
I
guess.
The
question
I
would
have
is
even
if
we
see
something
aside
from
the
patent
thing
that
may
Collide
as
much
as
I'm
with
you-
and
you
know
you,
despite
having
put
work
into
it,
just
want
to
see
it
die.
Should
we
keep
it
around
in
the
event
that
we
do
find
a
later
issue
with
you
know,
other
approaches
from
a
chem
standpoint.
M
Yeah
I
don't
see
this
as
a
great
amount
of
crypto
diversity
from
kyber
some,
because
they're
both
deal
based
on
ideal
latestes
and
if
we
see
a
problem
with
with
the
strength
of
Ideal
latest
is
it
will
it
will
more
than
likely
affect
both
and
so
we'd
probably
need
to
go
something
like
bike
or
hqc.
At
that
point,
this
it
could
be
that
they
just
found
a
problem
with
with
the
kyber
infrastructure
without
affecting
and
true,
I
would
not
bet
on
that.
Okay,.
I
Cool
and
then
just
to
clarify,
possibly
a
bit
you,
you
obviously
made
the
comment
around
mechalace
not
being
feasible.
Do
you
care
to
expound
on
that.
M
A
little
bit,
oh,
it's
yeah,
because
it's
just
a
huge
public
key
size.
Everything
else
may
be
on
Mick
Lisa
is
wonderful,
just
out
of
Mega
Mike
key
size
won't
actually
fit
in
the
TLs
key
exchange.
E
A
Right
so
we
are
at
the
end
of
our
agenda,
any
other
business
that
people
would
like
to
bring
to
cfrg
at
this
time.
A
Okay,
going
once
going
twice
well,
thank
you
for
coming
to
cfrg
and
enjoy
the
rest
of
your
week
at
ATF.