►
From YouTube: CFRG Research Group Interim Meeting, 2020-04-22
Description
CFRG Research Group Interim Meeting, 2020-04-22
A
A
A
You
go
chair,
so
can
you
Patterson
step
down
and
we
have
stanislav-
was
promoted
from
the
crypto
panel
slide
please.
So
this
is
the
first
virtual
session
that
we
ever
done
as
far
as
I
remember,
this
session
is
being
recorded.
We
have
minutes
in
at
the
part
of
jabber
for
general
discussions
as
well
as
asking
joining
the
queue,
so
please
send
us
an
q-
to
jabber.
If
you
want
to
be
added
to
the
document.
A
A
A
Right
document
status,
we
have
no
new
RFC's
in
Singapore
no
documents
in
our
editors
queue.
We
have
a
couple
of
documents
in
irst.
Review
are
going
to
is
waiting
for
revision
from
authors,
the
Muslim
mana
Commons
race
during
our
history
review
and
randomness
improvements,
just
went
ysg
and
waiting
for
the
for
the
initial
irst
review.
A
A
A
A
Now,
krypter
of
your
panel
we
had
established
three
years
ago.
It
was
running
for
three
years.
We
extended
the
term
for
initial
term
was
two
years.
We
extended
it
for
one
year
and
at
the
end
of
December,
we
we
solicited
names
of
volunteers,
and
so
we
have
my
apologies
approval,
which
are
somebody's.
Those
names.
A
A
Thank
you
so
major
that
happens
in
Singapore
started
back
selection
process.
Last
year
we
finished
phase
one
before
Singapore
and
we
didn't
quite
pick
one
can't
you
definition
category.
So
we
need
to
do
phase
two
and
stanislav
is
going
to
present
about
it
right
away
and
I
think
that's
it
from
chairs.
C
B
B
F
B
Also,
since
there
was
a
lot
of
desire
in
reviews
to
have
bulls,
balanced
and
augmented
back,
we
decided
that
we
had.
There
is
malamar
to
desire
to
have
both
a
balanced
pack
and
augmented
pack.
So
the
main
intention
of
around
was
to
select
one
of
0
when
expect,
and
one
of
0
augmented
back
the
term
line
is
on
the
slide.
It
was
announced
in
the
Middle
East.
B
Those
those
questions-
and
we
ask
z4g
if
anything
else
should
be
edit
and
then
there
are
all
sorts
of
the
candidates.
I
prepared
the
replies
after
that
we
had
one
month
of
crypto
human
members
doing
their
reviews
doing
the
job,
and
we
had
great
reviews
after
that.
I
would
say
before
one
Coover,
but
before
doing
the
first
of
March,
we
discard
the
reviews.
8
then
make
made
recommendations
and
wanted
to
select
at
least
0
or
1,
well
inspect
the
1
or
0
method
back.
B
So
the
results
of
stages,
we've
had
a
lot
of
great
questions
and
they
could
be
of
one
of
possible
types
was
in
the
mailing
list
and
we
heard
these
5
questions.
First
of
all,
do
you
notifications
about
possible
modifications
of
spec,
2
and
anticipation
of
the
piece?
The
third
question
was
about
IPR
issues,
specifically
on
some
issues
about
spec,
to
render
back
and
two
more
questions
for
all
protocols
about
quantum
annoyance
and
about
what
quantum
preparedness,
as
the
definitions
of
these
terms,
were
in
the
mailing
list
do
stage
3
3.
B
All
four
reviews
were
really
great
and
as
involvement
of
critic
panel
members
was
really
important
for
the
process
or
reviews
are
available
at
the
github
if
to
be
shot
this
or
for
short
versions
of
these
reviews.
So
the
recommendations
are
highlighted
in
blue
for
well
inspect
and
in
magenta
for
an
Augmented
back
so
for
augmented
pack,
all
four
reviewers
recommended
opac
and
for
balance
back
three
or
four
recommended
C
pace,
so
the
results
now
the
pack
selection
process
is
finished.
B
E
B
We
would
like
to
thank
all
persons
that
were
involved
in
the
process
to
all
offers
of
the
nominations.
The
what's
led
by
dedicated
for
Dan
Hawkins
will
house
Hume
krafchick
will
invent,
can
Steve
Thomas
a
very
great
contest,
because
all
eight
any
dates
were
realistic.
We'd
like
to
thank
all
the
reviewers
at
stage
one
because
those
independent
reviews
helped
us
to
understand
all
particular
issues
about
each
protocols
regarding
a
lot
of
different
things,
included,
skills
included
before
month,
etc
and,
of
course,
we'd
like
to
say
all
creepy
argument.
B
Panel
numbers
were
involved
in
stage
four
of
the
round
two
and
in
round
one
so
special
thanks
to
all
of
them.
What
now
now
in
shade
safer,
she
document
on
recommendations
for
pecs
in
ITF
protocols.
It
was
decisions
that
we
to
discuss
in
Singapore
and
discussed
beforehand,
so
we
had
a
lot
of
desire
from
the
reviewers
what
should
be
involved
and
what
should
be
included
in
this
document.
B
First
of
all,
detailed
description
of
the
pair
cortex
communications
for
parameters,
auxillary
primitives,
test
vectors
and
guidelines
because,
as
we
understand
and
pack
is
one
of
the
kind
of
the
protocols
that
can
be
very
easily
implemented
wrongly
so,
guidelines
are
really
crucial
here,
for
example,
if
cross
cybersecurity
is
not
taken
into
account,
the
pack
can
be
easily
broken.
It's
it's
very
easy
to
show
some.
B
Some
other
issues
are
on
the
slide,
and
now
we
had
a
discussion
with,
is
you
can
the
Lexi
and
we
have
two
questions?
First
of
all,
do
you
need
one
or
two
documents
so
should
one
is
to
prepare
one
document
or
recommendations
for
back
in
IQ
protocols,
with
both
space
indo-pak
adoption
to
to
prepare
two
documents,
one
for
well
spec
and
one
for
augmented
back.
E
B
B
B
D
D
B
So
baltics,
thank
you.
I
agree
that
such
command
can
be
useful
in
both
documents.
I
think
that,
after
some
discussion
in
email
and
after
we
understand
who
will
be
the
editor
and
who
will
be
the
authors,
we
will
try
our
best
to
organize
the
discussion
about
which
oh,
it
should
be
addressed
in
the
documents.
Thank
you.
F
B
In
my
understanding
in
my
personal
salient,
we
have
selected
two
protocols
and
we
must
prepare
the
most
detailed
descriptions
of
them
as
possible.
A
lot
of
people
in
the
Middle
East
and
in
most
no
communications,
told
us
that
it
is
critical
that
in
documents
that
are
describing
a
zip
X,
a
lot
of
very
specific
recommendations
for
implementations
must
be
made.
So,
in
my
opinion,
this
document
should
describe
protocols
both
together
with
recommendations
of
how
to
implement
this,
so
seems.
B
H
J
B
C
B
K
L
K
For
example,
if
you
want
to
break
eg
GOP
for
any
of
popular
curves,
we
need
a
quantum
computer
one
and
a
half
thousand
cubits
and
use
algorithm
offshore
to
solve
video
P
in
polynomial
time.
Digit
number
is
intent
of
entangled
qubits
obtained
at
the
moment
is
around
100
and
we
have
already
reached
quantum
super.
A
machine
obvious
way
to
solve.
The
problem
is
to
build
protocols
based
on
another
heart
problems.
Wedeck
want
us
safe.
One
of
solutions
is
to
use
ISO
genies
next.
What
what.
I
K
Iso
needs
a
surgeon
is
a
special
case
of
homomorphism
between
elliptic
curve
groups.
If
we
have
two
elliptic
curves
y
1
and
y
2
and
isogen
e
between
is
non-constant
algebraic
morphism
following
form
f,
1,
f,
2,
G,
1,
G
2
are
polynomials
in
X
and
y.
It
also
Maps
points
at
infinity
to
point
at
infinity
and
isogen
degree
is
the
maximum
degree
of
polynomials
F
1
and
F
2.
If
I
sojanet
from
e1
to
introduce
when
I
so
journey
from
E
to
to
e1,
also
exist
and
both
occurs
exogenous
not.
F
K
He
is
an
example:
how
and
I
solution
you
can
look
like,
let's
consider
two
curves
or
say
in
finite
field,
and
both
cures
have
the
same
number
of
points.
One
of
the
possible
I,
so
genius
for
this
sample
has
degree
3,
as
you
can
see,
if
we
is
a
maximum
degree
of
polynomials,
f1
and
f2.
Let's
pick
up
some
random
points,
a
and
B
on
Iran
and
can
calculate
where
some
he
easy
to
see
that
a
Sojin
e-reserves
group
law,
the
image
of
a
plus
image
of
B,
is
a
co2
image
of
him.
K
Next,
please
how
to
construct
a
surgeon.
A
surgeon
is
group
homomorphism
that
is
defined
by
its
kernel
group
of
points
that
I
mapped
to
the
point.
At
infinity.
Order
of
the
kernel
group
is
equal
to
I
so
degree.
So
if
we
have
some
curve,
we
can
select
one
of
its
sub
groups
of
points
and
calculate
a
so
Janica,
an
algorithm
of
Elune
that
takes
on
input
the
curve
and
it's
subgroup
and
outputs
I,
so
genius
curve
and
four
more
for
point
mapping.
K
K
K
Cut
problem
is
to
find
a
surgeon
in
between
when
the
problem
was
easy
to
solve
or
when
even
on
question
computer,
if
both
curves
as
a
morphic,
when
we
have
gene
variants,
that's
why
we
can
see
the
only
interesting
from
a
graphic
point
of
view.
Sajin
is
between
different
classes
of
isomorphisms
classes,
have
different
gene
variants.
K
K
K
K
F
K
K
Alice
generates
here
a
ephemeral
key
player,
but
by
picking
random
number
a
and
calculates
your
no
group
generator,
adding
base
point
P,
a
and
and
a
times
Q
a
after
that
he
calculates
a
sujini
if
G
a
from
starting
cure,
cure
e
and
get
Hodgins
to
eco
e
mod
G.
A
and
Maps
Bob's
boys
points
P
B
and
could
be
from
starting
off
to
this
curve.
Now
she
sends
ephemeral
public
key
to
book
him
around
public
key.
It's
Q
and
transmitted
base
points.
K
Receiving
public
key
of
Ellis
Bob
junior
eights,
his
key
player
and
sense
to
Ellis
her
public
key.
As
you
can
see,
he
is
making
similar
steps
as
Ellis,
but
he
uses
another
torsion
subgroup,
free
e
to
the
power
free
torsion
subgroup.
After
that,
Bob
can
calculate
shared
secret.
He
calculates
SOG
new
from
pure
from
EA
just
equal
place,
curator
of
this
curve
using
torsion
based
points
from
public
key.
If
his
private
key
next.
M
K
F
K
K
Again,
at
least
in
generates
each
ephemeral
key
plate
in
place
2
by
2
matrix.
It
depends
on
password
and
gene
variant
of
cure
of
animals,
blame
matrix
and
torsion
base
points
upon
receiving
a
human
key
Bob
kept
appearing
if
it
is
not
equal
to
constant
playing
in
the
left
side
of
equation,
he
stops.
The
protocol
is
next.
K
K
K
K
K
M
N
K
K
N
K
K
N
And
the
the
opaque
protocol
relies
on
an
Olivia
soda
random
function,
o
PRF
function,
which
is
based
on
diffie-hellman
and
does
not
post
quantum
safe
secure.
Are
you
aware
of
constructions
that
might
post
quantum
construction
for
such
an
Opie
Olivia's
VAR,
f
function
would
be
the
main
obstacle
for
forgetting
or
take
for
a
post,
Kuantan
secure.
O
G
B
E
The
proposal
here
well
I
made
a
proposal
and
then
chassis,
como
and
Engelberg
separately
made
a
related
proposal
in
signatures
and
when
we
looked
at
the
two
together
there
at
taking
essentially
the
same
approach
now
so
the
point
of
this
presentation
is
not
to
go
into
the
details
of
the
proposals.
It
is
to
add
work
on
threshold
modes,
the
existing
CFR
G
elliptic
curve,
algorithms
as
work
items,
I've.
E
Up
into
two,
the
first
one
Colin
Baker
threshold-
that's
setting
out
the
math
of
how
all
this
works
and
defines
how
to
do
threshold
modes
for
the
egg
255
one,
nine,
eight,
four,
four
eight,
and
also
the
X
255
180
yeah-
basically
do
everything
we're
already
doing
but
be
able
to
split
the
private
keys.
Okay.
So
the
question
that's
come
up
whenever
this
has
been
proposed
is
well
we're
already
doing
BLS.
Why
do
that
old,
fuddy,
duddy,
elliptic
curve?
Stuff?
E
Isn't
pairing
going
to
be
better
if
you
want
threshold
and
the
reason
that
I
don't
want
to
do
pairing
is
that,
while
there
are
some
additional
cryptographic
capabilities,
you
can
get
out
of
pairing
as
a
protocol
designer
I'm
not
interested
in
those
capabilities
in
the
slightest
sorry
I
can
get
all
the
capabilities.
I
need
from
the
existing
CFR
G
curves
the
code
to
do
that
is
widely
deployed
and
in
particular,
I
can
do.
E
E
Ok,
so
next
slide.
So
how
does
this
work?
Well?
The
reason
that
you
can
do
a
threshold
stuff
in
in
elliptic
curves
is
that
if
you
take
two
private
keys
x
and
y
well,
the
corresponding
key
pairs
are
going
to
be
X,
dot,
B
and
and
Y
dot,
B
okay.
So
that
means
that
we
can
that
X,
plus
y
dot,
B
and
X
plus
y
is
also
going
to
be
a
keeper,
and
this
has
the
really
fascinating
property
that
I
know
that
a
particular
public
key
pair
has
been
generated
by
adding
two
private
keys.
E
It
just
works.
You
can
also
make
use
of
Shamir's
secret
sharing,
and
that
allows
us
to
extend
the
problem
so
that
we
can
now
split
a
secret
e
into
more
shares
than
the
threshold,
and
this
is
just
using
the
same
math
that
we'd
use
to
split
a
symmetric
key
using
humor
secret.
The
only
trick
here
is
that
the
Shamir
secret
prime,
that
we
use
to
construct
the
field
is
simply
the
part
of
the
order
of
the
subgroup
and
we
then
used
the
LeGrande
blade
basis
to
recombine
the
shares.
E
So
we
can
do
that
and
have
a
and
if
you
Hammond's
scheme
just
carries
on
okay,
so
next
slide,
which
is
the
last
slide.
So
the
point
here
is
that
I'm
asking
us
to
I'm
asking
the
group
to
accept
this
as
a
work
item
rather
than
preparer,
proposing
the
details
of
these
dock
with
the
documents
at
this
point.
But
what
this
gives
us
is
threshold
decryption.
E
If
the
system
administrator
happens
to
be
a
traitor
and
uploading
your
documents
to
the
Washington,
Post
or
whatever
another
application
of
this
approach
is,
if
you're
familiar
with
Kasia
sideband
resistance,
it's
a
really
useful
technique
that
we
should
now
be
using
for
doing
any
elliptic
curve
cryptography.
It
was
patented.
But
my
understanding
of
the
patent
dates
is
unless
I've
missed
something
I'm,
hoping
that
the
original
Kasia
patents
have
now
expired.
E
Now
what
you
can
do
is
you
can
split
the
exponent
so,
instead
of
doing
the
an
operation
once
you
can
split
it
into
two
split,
the
private
key
each
time
you
use
it
and
do
two
separate
encryptions
and
then
combine
the
result,
and
that
means
that
you're
not
doing
that
repeated
operation.
That
gives
a
side
bang.
E
Can
use
it
for
side
code,
siding
I
think
that
threshold
signatures
the
killer
app
there
in
my
view,
would
be
code
signing
and
in
particular,
when
I
was
as
involved
in
the
CA
industry.
One
of
the
big
problems
that
kept
coming
up
would
be:
how
can
open
source
projects
sign
their
code
and
get
a
code
signing
certificate,
and
there
are
really
non-trivial
problems
about
how
those
groups
that
don't
have
an
organized
central
organizing
point
and
don't
want
a
central,
organizing
point
and
come
together,
and
so
that's.
E
That
happens
there
and
then,
finally,
you
can
do
redundant
notary
services
services
if
you
want
to
do
blockchain
type
things
and
just
signing
your
notary
output
of
your
one-way
sequence
at
multiple
services.
Well,
you
probably
want
to
have
three
services
that
you've
got
fault,
tolerance
and
then
you've
got
the
question
of
well.
How
do
we
combine
the
results,
and
you
end
up
with
an
interesting
race
condition
there,
where
you
can
end
up
with
two
different
signings
of
the
same
output
by
different
combinations?
It's
not
satisfactory.
E
P
Hi
this
is
Chelsea,
so
one
thing
I
just
wanted
to
quickly
mention
is
that
for
his
work
on
Frost,
it's
currently
in
draft
status,
and
we
are
making
a
couple
tweaks
right
now,
just
for
some
additional
security
properties,
so
I
guess
I
just
wanted
to
say
there
are
some
differences
between
this
work
and
Frost,
and
that's
something
that
we
are
going
to
be
flushing
out
in
the
future.
I
guess
one
question
I
had
that
is
also
a
little
bit
to
the
jurors
is
about.
If
this
is
adopted
as
a
work
item.
P
What
are
some
of
the
use
cases?
I,
guess
like
beyond
just
the
mathematical
mesh
that
would
like
to
be
targeted
so
like,
for
example,
in
this
proposal,
there's
a
pretty
narrow
focus
on
as
I
understand
on
key
distribution
and
having
some
trust
around
how
keys
are
distributed,
whereas
in
the
literature
and
like,
for
example,
in
our
work,
there's
a
notion
of
using
sort
of
an
untrusted
model
so
that
all
participants
are
equally
trusted.
So
I
guess
on
my
questions,
broader
about
like
if
this
is
adopted
as
a
work
item.
E
B
B
E
E
The
only
assumption
here
is
that
the
base
elliptic
curve
start
works.
Now,
we've
already
got
to
the
point
where
the
whole
of
international
commerce
depends
upon
those
elliptic,
curves
and
or
RSA
being
secure.
So
we're
not
increasing
our
exposure
at
all
here
and
I.
Don't
see
at
this
point
any
of
the
post
quantum
stuff
that
is
being
proposed
being
I.
E
Don't
think
that
that
is
firm
enough
for
us
to
want
to
then
look
at
the
threshold
variations
there
are
so
I
mean
it
might
be
an
interesting
question
to
ask
the
people
proposing
post
quantum.
Is
your
stuff
threshold
capable
at
this
point
I'm
a
lot
less
worried
about
quantum
computing
than
a
lot
of
you,
I
I
did
visit.
E
A
B
B
M
M
This
read
this
effectively
reduces
the
East
and
this
in
in
terms
of
NIST
PQ
levels
from
level
5
to
level
3.
It
also
reduces
the
senior
science
by
about
40%
attacks,
because
the
best
attack
is
a
second
preimage
attack.
Well,
my
conventional
computers
are
still
completely
unfeasible,
a
2.1
92
and
if
we
count
for
slips
on
circuit
death,
which
we
assumed
that
from
the
attacker
task
to
get
a
board
time,
forgery
within
say
a
hundred
years
that
product
attacked
by
Grover's
algorithm
using
quantum
computer,
could
still
take
circa
to
128,
perhaps
a
little
bit
less.
M
M
The
second
set
of
parameters
is
based
on
sha-3
and
we're
using
a
shake
to
t6x
expensable,
a
hash
function,
generating
either
192
or
256
bits.
This
is
mostly
an
alternative
to
shock
56
and
the
signature
site,
and
the
cryptographic
strength
is
identical
to
sha,
56
and
again
I'm
here
to
ask
for
review
any
questions.
L
So
do
you
hear
me
so
this
talk
is
about
deterministic
ECDSA
and
EDD
SS
signatures
with
additional
randomness
and
the
draft
doc
Madsen
is
now
in
version
2
next
slide,
please
so
some
background.
So
all
ECC
signatures
require
per
message
number.
This
has
traditionally
been
generated
purely
random,
but
biases
in
the
random
number
generation.
We
lead
to
catastrophic
consequences,
such
as
key
compromise.
L
L
German
BSI
has
co-authored
several
of
these
academic
papers
and
NIST
raised
concerns.
They
are
currently
planning
to
standardized
standardized,
deterministic,
ECDSA
and
IDI
DSA
next
slide.
So
what
can
be
done?
One
countermeasure
to
these
types
of
attacks
recommended
in
basically
all
of
these
papers
and
also
in
demented
in
several
popular
crypto
libraries,
is
to
reintroduce
some
additional
randomness
to
the
otherwise
deterministic
generation
of
perma
Sachiko
number,
and
this
is
also
called
as
coldly
hedged
signatures
in
some
of
the
papers.
This
is
quite
simple
and
well
understood.
L
L
It
does
not
increase
the
number
of
point
multiplications,
which
is
makes
it
right
and
suitable
for
IOT
deployments,
which
is
in
most
need
of
this
type
of
mitigation,
and
you
get
good,
you
get
the
hedged
security.
So
even
if
the
randomness
is
weak,
the
security
falls
back
to
what
you
would
have
if
you
did
purely
deterministic
signature
signatures.
Yeah
next
slide.
L
L
We
think
this
we
attacks
from
academic
research
is
quite
loops
quite
serious,
and
we
think
that
ITF
or
I
RTF
should
but
quickly
update
the
recommendations
for
deployments
where,
if
the
techs
are
concerned
and
and
what
we
suggest
in
the
draft
is
updates
to
the
deterministic
ECDSA
and
the
EDD
sa
RFC's,
to
say
that
in
deployments
were
these
type
of
attacks
are
concerned,
the
following
step
or
recommended
instead
and
updates
in
technical
update,
is
to
add
a
random
number
said.
Jim.
L
He
written
in
green,
as
well
as
a
byte
string
of
zeros,
shown
in
blue
and
meaning
with
the
zeros,
is
to
make
sure
that
the
key
and
the
message
are
in
different
hash,
invocations,
mitigating
attacks,
where
their
attacker
can
control
or
shows.
The
message
updates
an
important
one
is
that
we
have
changed
they're
competent
to
concatenation
with
said,
instead
of
soul.
Yes,
well
that's
a
much
better
and
conservative
solution
aligning
with
academic
papers.
L
L
So
is
see
if
orgy
the
right,
if
you
agree
that
this
is,
should
be
done.
First,
it's
about
in
the
right
place.
I
would
think
so.
C4D
has
to
write.
Competence
on
is
also
has
also
published,
EDD
essay.
So
if
you
agree
with
that
I
like
say
for,
did
you
adopt
them
published
as
me
and
updated
recommendation
for
this
and
I
think
it's
quite
straightforward.
L
L
N
Jonathan
I'd
have
one
question
regarding
the
zero
padding
for
the
randomness.
Are
you
aware
of
any
paper
which
has
analyzed
this
in
detail?
I've
had
some
discussion
with
Leila
button
now
on
this
topic
and
she
recommended
specifically
to
add
such
as
zero
heading
also
for
applications
such
as
departure,
but
she
was
not
aware
of
any
quantitative
measurement
on
how
to
find
out
what
how
much
this
mitigation
is.
Helping.
Are
you
aware
of
some
welcome,
but
this.
M
L
M
M
N
Sports
remark,
so
the
feet
have
asked
this
question
regarding
the
zero
padding
and
in
the
structure
to
several
side-channel.
They
told
me
that
one
should
try
to
avoid
to
enter
the
secret
entry
in
several
times
into
the
Hajj
operation
and
to
my
best
knowledge,
if
you're
iterating
HTML
constructions,
you
are
on
the
risk
to
end
to
enter
the
secret
several
times
that
might
be,
but
even
worsen
the
situation
from
relational
perspective.
E
N
I
got
understood
from
from
the
discussions
and
not
so
true
professional
expert,
but
that's
the
feedback
that
I
got
in
all
Sue's
and
the
hash
operations
might
be
quite
costly
on
site
under
protected
hardware.
So
the
hardware
guys
that
we're
all
working
on
on
site.
You
know
we're
implementations
recommended
to
avoid
the
hash
functions,
because
it's
very
difficult
to
protected
by.
Q
B
I
think
that's
my
slab
is
my
charis
head
both
personally,
I
support
this
work
and
they
think
that
in
several
g,
if
you
have
some
people
who
advertise
in
the
field
to
us
a
general
resistance,
at
least
we
use
algorithmic
controllers.
So
personally
again,
with
my
chairs
cut
off
I
support,
this
work
and
I
think
that's
the
G
is
the
right
place
to
do
this
and
is
my
chairs
at
home?
I
would
like
to
say
that,
of
course,
we
will
take
this
to
the
list
and
personally
I
will
how
much
like
to
support
this
work.
Q
L
Q
The
verified,
though
it
doesn't,
but
if
you,
if
you
look
at
so
the
last
few
days,
I've
looked
at
the
deco,
see
and
how
see
a
growth
point
assignments
and
all
the
details
involved
in
specifying
it.
It's
also
includes
designing
operation
and
a
clear
reference,
and
it
seems
to
me
that
even
suggesting
that
deployments
may
be
deployments
where
this
is
safe.
Do
you
be
using
with
in
this
question?
It
seems
to
become
like
unworldly
right.
L
Q
Hoshi
doesn't
point
three
doesn't
so
that
means
that
you
know
whatever
is
provided
seemingly
referred
to,
803,
to
which
probably
should
never
have
reached
the
finish
line
in
this
stage.
I
think
this
should
be
a
point
where
a
new
spec
that
actually
fixes
this
all
the
eunice
business
is
clearly
indicated
as
such,
because
I
think
it's
kind
of
a
black
eye
on
the
see
of
a
team.
Q
R
Watson
CloudFlare
yeah
I
think
we
should
not
change
code
point
changing
code
point
is
an
excellent
way
to
introduce
all
sorts
of
interoperability
problems.
It
actually
makes
it
harder
to
adopt
a
change
because
all
of
a
sudden
devices
need
to
interoperate
with
the
already
installed
base
need
to
implement
both.
R
Even
though
you
don't
have
a
interoperability
problem
generally,
the
generating
the
or
nothing
else,
the
random
value
in
ECDSA
actually
randomly
vs.
terminus
tically,
you
would
still
have
to
implement
the
deterministic
version.
If
you
were
to
adopt
a
different
code,
point
fix
the
problem,
the
side
channel
attacks,
you
would
push
dog
and
saying
decide
you
should
you
know
if
you're
invertible
side
channel
attacks,
you
should
use
of
randomized
thing.
Of
course
there
isn't
it
panacea.
It
depends
on
the
magnitude
of
the
signal.
You
actually
need
to
look
at
the
implementation.
R
Q
Momoka
window,
and
so
in
the
past,
with
IETF
many
many
times
that
there
was
a
need
for
algorithmic
guilty,
but
ever
been
push
comes
to
shove.
Always
the
current
diplomas
are
being
mentioned.
I
think
that
does
that
kind
of
undoes
the
whole
algorithm
agility
disservice
I
think
we
should
write
a
die,
die
die
documents
on
the
deterministic
EDA.
Is
a
scheme
have
replaced
by
something
places?
The
arrows
in
there.
Q
B
Q
Rick
Rene
once
bore
I
have
a
question
on
the
errata
process
in
the
CFL
G
documents.
I
noticed
that
there
are
quite
a
few
errors
in
the
RFC
seven
seven
four
eighths
documents
and
some
of
those
errata
had
apparently
been
addressed
and
I
couldn't
find
any
discussion
on
that.
So
how
do
we
fix?
It
fix
incorrect
address
of
a
rather
to
our
C
documents
in
the
CR
ad
group.
Q
A
A
A
Q
Found
when
I
looked
at
this
particular
RFC,
so
this
is
the
C
of
V
D
curve
document
right.
A
lot
of
ITF
document,
there's
around
where,
as
a
working
group
last
call
and
then
there's
some
subsequent
discussion
list,
I
see
I
I,
II,
St,
evolved
and
and
a
bunch
of
the
directories,
and
so
on.
I
couldn't
find
any
information
on
what
process
was
false.
I
was
followed
after
because
the
working
group,
a
last
call
equivalently
you
see
I,
believe,
is
that
document.
So
is
there
any
process
like
that?
Yes,.
A
Yes,
it
basically
goes
to
IRS
G,
which
is
composed
of
chairs
of
the
research
groups.
Irt
have
chair
and
some
at-large
members.
There
is
at
least
one
review
going
there
and
then
initial
review,
and
then
there
is
a
follow-up
and
then
IHG
goes.
It
does
review
for
conflicts.
I
can
point
you
to
the
document.
If
you
want
thank
same
email,
Allah
I'll
point
you
to
the
document.
If
people
are
interested
in
general,
I
can
post
to
the
mailing
list.
N
A
E
So
one
of
the
things
that
I
developed
a
while
ago
was
called
uniform
date.
Data
fingerprint-
and
you
know
that
wasn't
something
I
would
have
thought
of
bringing
to
see
FRG
as
it
was
because
it's
basically
just
message:
digests
fingerprints
in
base
32
with
an
algorithm
identifier
in
front
of,
however,
as
I've
been
circulating,
that
I've
had
requests
to
add
some
features,
and
so
it's
grown
to
the
point
where
arguably
it
is
within
the
ambit
of
what
C
FRG
might
claim,
and
one
of
those
features
is
Shamir
secret
sharing.
E
So
the
idea
is
that
say:
I've
got
a
secret
key
that
I've
encrypted
my
hard
drive
under
I
might
want
to
shimmy
a
secret
share
that
and
have
you
know
two
out
of
three
shares?
Okay,
so
that
you
know
that's
a
fairly
simple
thing
to
implement,
but
the
next
one
is
another
thing:
I
was
asked
for
was
deterministic
key
generation
from
a
fingerprint
string,
and
so
what
you
might
use
that
for
is
I
want
to
configure
my
SSH
on
all
my
clients
with
the
same
client
key
and
instead
of
emailing
myself.
E
E
A
C
O
I,
thank
you,
I'm,
not
sure
I'm
worthy
of
closing
this
out
I
just
wanted
to
follow
up
briefly
to
the
the
comment
before
I'm
Phil's
there
just
just
say
that
I'm
aware
that
there
are
a
bunch
of
errata
that
still
need
to
be
verified.
So
if
that
those
have
definitely
not
been
forgotten,
other
angle
relative
to
checking
those
and
checking
with
the
CFO
gee
Cheers
it's
to
to
go
through
the
process,
so
so
do
do,
look
out
for
those
being
verified
in
hopefully
coming
weeks.