►
From YouTube: LAKE WG Interim Meeting, 2020-12-18
Description
LAKE WG Interim Meeting, 2020-12-18
B
B
B
B
B
D
D
B
Yeah,
so
I
would
prefer
to
prioritize
the
issues
and
then
essentially
because
your
slides
to
my
understanding
refer
to
the
last
issue,
which
is
the
mti
suit.
So
let's
not
make
any
decisions
on
that
before
you
present.
Your
slides
is
that
is
that
okay,
perfect,
all
right
perfect.
So,
let's
write
add,
let's
add
in
the
agenda
for
any
strike
after
the
issues
for
10
minutes
for
10
minutes
and
then
we'll
have
any
other
business
at
the
end.
C
C
B
F
F
So
this
is
updates
of
the
issues
that
we
discussed
at
the
last
meeting.
I
also
sent
out
this
is
basically
the
same
text
as
I
sent
out
on
the
list
so
resumption,
nothing
to
do
agreement
and
negotiating
of
parameters.
Here
we
have
added
a
new
appendix
it's
around
one
page
that
describes
everything
that
needs
to
be
agreed
between
the
initiator
and
the
responder,
and
this
was
based
on
a
suggestion
by
michael
richardson.
F
F
Then
we
had
an
issue
on
identifying
certificates
and
appears-
and
here
there
has
been
quite
a
lot
of
discussion
in
the
course
working
group.
There
is
ongoing
thread
how
to
identify
a
certificate
with
a
kid
and
also
there's
been
a
request
offline
to
add
receiver
certificates
to
the
ad
hoc
test
vectors,
so
the
zebra
certificate
zebra
certificate
draws
currently
lack
a
private
key
to
enable
this,
but
this
will
be
added,
and
then
this
will
be
added
to
the
add-on
test.
Vectors
on
github.
F
F
F
So
there
was
a
request
last
time
that
we
added
text
on
how
to
distinguish
an
error
message.
This
has
now
been
done,
but
this
issue
has
spawned
several
new
discussions
on
github
marco
has
asked
and
provided
an
answer
for
how
to
distinguish
message,
one
from
message:
three.
This
seems
to
be
more
implementation
guidance,
but
maybe
there's
some
something
test
also
needs
to
be
explained
stricter
in
the
draft.
F
Then
there
has
been
a
request
from
I've
forgot
from
who,
but
to
right
now
the
error
messages
in
ad
hoc
or
undefined
text
string
that
application
can
set
to
whatever
they
want,
except
for
the
list
of
cipher
suits.
The
list
of
cypher
suits
can
be
automatically
acted
on,
but
everything
else
is
cannot,
and
it's
also
not
standardized.
So
there's
a
discussion
on
github.
Whether
ad
hoc
needs
to
provide
standardized
error
messages
in
the
form
of
strings
or
integers.
F
G
So
perhaps
marco
wants
to
say
something
about
distinguishing
error
messages.
The
second
okay,
the
first
bullet
was
from
our
code.
The
first
sabbat
bullet
on
issue.
30
was
from
marco
and
the
second
one
was
from
stefan
ristisol,
who
is
not
here,
so
I
don't
think
he
will
be
able
to
provide
more
than
on
the
issue.
But
marco
maybe
has
something
to
say
about
distinguishing
error
messages,
or
someone
else
may
have
some
input
on
on
what
we
need
to
specify
here.
H
Hi,
marco,
here
just
added
one
more
comment
on
the
github:
it's
definitely
implementation
guidance.
I
don't
think
there's
anything
big
to
fix
in
the
in
the
protocol
itself.
It's
just
that.
There's
a
lot
of
flexibility
in
in
the
roles
that
you
client,
server
or
reversed
can
take.
They
can
have
multiple
ongoing
adult
executions
and
it's
just
important,
I
think,
and
simplifying
to
understand
what
exact
message
it
is
when
received
before
starting
anything
else.
G
H
H
H
I
You
should
understand
from
from
from
the
correlations
like
this
is
a
response,
so
you
can
correlate
to
the
request,
which
means
that
you
can
correlate
to
which
to
the
message
like
you
can
okay.
This
is
a
message
too,
because
it's
a
response
to
message:
one
example:
if
you're
using
co-op,
that
would
be
using
the
token
the
co-op
token.
H
H
F
G
G
G
G
J
Generally
you
when
you
design
error
messages,
you
need
to
be
aware
of
whether
the
error
message
has
an
influence
on
the
state
machine
or
not,
and
if
it
has
an
influence
on
the
state
machine,
then
you
need
to
standardize
it,
and
if
it
doesn't
you
don't
so,
I'm
I'm
trying
to
understand
what
what
kind
of
distinction
people
are
making
here.
Certainly,
there
should
be
an
admonition
to
provide
good
diagnostics,
but
that's
different
from
standardizing
error
messages.
F
G
E
Is
that
the
point
is
that
if
you
have
an
error
number,
then
that
number
can
be
looked
up
in
a
table
and
can
be
tran
can
provide.
You
know
local
information
in
a
local
language,
about
what
you
did
wrong,
whereas
the
english
text
string
is,
of
course
something
that
the
other
implementer
made
up
and
therefore
isn't.
E
It
could
mean
anything
right
so
that
that's
that's
the
that's
the
the
thing
I'm
trying
to
say:
okay,
there's
an
smtp
right,
I
mean
we
did
we
we
we,
we
wound
up
with
the
situation
where
we
got
nationalized
bounce
messages
which
people
realized
they
couldn't
read.
They
didn't
know
what
was
wrong,
and
so
we
had
to
really
be
careful.
We
had
came
back
and
added
these
dotted
error
messages
that
had
more
meaning
so
that
you
actually
could
actually
know.
F
F
F
We
have
done
the
transformation
from
hkdf
to
more
general
extract
than
expand
and
for
short,
two
hkdf
is
used
for
shake
kmac
is
used
and
got
several
questions
on
this,
and
the
intention
is
not
to
standardize
any
new
cypher
suits
but
like
any
all
cosy.
Algorith
can
be
used
with
a
private
cyber
suit,
and
this
change
does
not
affect
any
current
implementation.
F
F
F
So
I
don't
think
this
should
be
done.
I
think
it
might
be
worth
considering
to
to
look
at
how
in
the
future
so
that
it's
possible
to
expand
it
to
to
use
pqc
algorithms,
but
don't
think
it's
essential
it
looking
at
the
pqc
outwards.
I
think
there
might
not
be
a
strong
use
case
to
use
chem
malgrids
at
all.
It
might
be
more
lightweight
or
equally
lightweight,
with
the
pqc
signatures,
depending
on
the
requirement
and
limitation
of
the
pqc
algoriths.
F
Yes,
I
think
the
only
is
what
I
was
considering
here
is
that
maybe
with
pkc,
you
need
to
send
an
array
of
of
byte
strings
instead,
instead
of
a
single
byte
string.
So
I
don't
know
if
it
even
would
be
any
changes
to
the
protocol
messages,
but
it
would
be
good
to
make
sure
that
if
somebody
wants
to
use
a
pqc
algorithm
in
the
in
the
future,
they
can
define
such
a
scifi
suite.
F
F
So
here
is
a
issue
that
was
not
discussed
last
time
but
has
been
implemented
in
zero.
Three.
At
the
last
meeting,
we
had
received
a
request
to
register
cypher
suits
with
high
security
following
aligning
with
cnsa,
and
after
that
we
have
received
a
second
independent
request
to
do
exactly
the
same
thing.
F
There's
also
a
request
to
make
a
more
general
non-constrained,
but
not
high
security,
cipher
suit.
So
zero
three
adds
two
new
cypher
suits
one
aligning
with
cnsa
it's
the
as256,
and
then
it
has
an
a
second
cypher
suit
with
asgcm
and
curve245519
is
aligns
nicely
with
what
is
used
very
commonly
on
the
web.
Maybe
it's
not
absolutely
most
common,
because
rsa
is
probably
more
common
than
ecdsa,
but
this
would
probably
be
the
second
most
common
used.
Algorithm
combination
on
the
web
today.
D
D
F
D
F
D
Because
if
the
let's
say,
if
you
go
for
for
cnsa
suites,
some
of
the
optimization
techniques
that,
in
my
kind
of
layman,
version
of
looking
at
the
lake
effort
have
less
impact
right
because
yes,
like
some
of
the
optimizations,
that
they
have
a
diminishing
return.
If
the
buy
initial
byte
type
is
already
higher
right.
F
F
F
G
D
F
D
D
F
F
F
There
might
be
an
update
and
there
might
be
an
up
optimized
update
of
this,
and
then
the
discussion
has
been
that
it
would
be
good
with
lightweight
forward
secrecy,
for
example,
I
hashane
at
some
level,
and
one
comment
was
that
it
would
be
good
if
this
is
done
in
ad
hoc.
You
have
since
received
some
other
comments.
That
might
maybe
it's
good
to
do
it
in
or
score.
I
think
both
are
good
are
possible.
F
F
I
think
it's
still
for
far
to
start
whether
it
is
known
this
counter
around
a
number
or
a
counter
plus
random
number,
but
in
high
level
the
cryptographic
principles
of
this.
Now,
when
I
look
I
happen
to,
they
agree
quite
very
well
with
what
kartik
suggested
already
a
year
ago.
I
think,
and
I
think
the
whole
idea
with
a
lightweight
forward
secrecy
is
based
on
that,
but
yeah
any
comments
on
this.
B
So
and
john
this
is
militia.
I
just
have
a
clarification
question
the
nonce.
You
say
that
the
nonce
comes.
It
can
be
a
counter
random
number
or
counter
plus
random
number.
So
I'm
wondering
how
do
you
synchronize
this?
Between
I
mean?
Do
you
explain
the
messages?
I'm
not
clear
on
the
mechanism
exactly
how
it
works.
F
B
Okay,
but
I'm
confused
about
the
whole
mixing
of
ad
hoc
and
oscar
part,
because
appendix
v2
to
my
knowledge
is
oscar.
So
this
is
the
exchange
of
nonsense
that
happened,
and
now
you
are
saying
essentially
that
these
nonsense
get
used
in
the
ad
hoc
exporter
interface
to
generate
a
new
key
for
us.
Is
this
correct.
F
Yes,
so
what
oscar
would?
What
oscar
normally
do
is
that
it
it
calls
the
ad
hoc
exporter
interface.
Give
me
a
key
in
this
case,
although
oscar
would
call
ad
hoc
exporter,
and
then
it
would
call
at
some
point
later.
It
would
call
this
ad
hoc
exporter
forward
secrecy
function
with
the
nonce
to
update
the
key
in
ad
hoc,
and
then
it
would
call
the
ad
hoc
exporter
again
to
get
a
new
key,
that
that
is
the
second
key
in
this
prk
forex
3m
hashtag,
okay,.
B
F
A
counter
yeah,
but
yes,
you
need
the
reason
that
you
want
unknowns
in
this
is
because
otherwise
it
might,
if
you
have
really
bad
luck
in
practice,
is
probably
work
anyway.
But
theoretically
the
hash
of
the
key
could
be
the
same
key
again,
and
then
you
have
a
cycle
of
length,
one
which
just
repeat
itself,
so
typically
in
cryptographic,
primitives,
you
want
to
add
something
so
that
you
can
guarantee
a
long
cycle.
F
It
doesn't
hurt,
but
right
now
I
think,
let's,
let's
work
more
on
the
practical
details,
I
think
the
cryptographic
parts
are
not
the
hard
part
here.
Maybe
it's
more
synchronization
problems
and
so
on,
but
but
absolutely
all
cryptographic
review
of
this
at
a
later
at
a
little
bit
later,
state
or
or
right
now,
also
and
for
the
cs-
is
of
course
welcome.
G
I
think
I
think
if
someone
wants
to
be
involved
in
the
discussion.
That's
that's
very
welcome
right
now,
if
you
want
to
contribute
or
or
part
of
be
part
of
this
fleshing
out
the
details
that
that's
definitely
welcome.
So
it's
no,
no
reason
to
wait.
If
you
have
an
opinion
here,
I
think,
but
it's
not.
F
E
E
G
F
B
F
My
feeling
is
that
this
make
the
specification
a
bit.
It
add
complexity
to
the
specification,
but
also
add
complexity,
to
develop
this,
which
would
be
bad
basically,
a
developer.
Only
having
access
to
a
code
c
library
would
have
to
dig
into
the
implementation
of
the
because
the
algorithms
dig
out,
aes
and
cha-cha
and
then
probably
implement
a
stream
cipher
mode
of
these
on
their
own.
F
F
No,
not
really
I
yeah,
but
option
two
is
implemented
in
their
dog
zero
three
option.
One
here
is
implemented
in
addox
zero.
Two
we
got
some
previous
version
wrote
that
we
use
the
source
cipher,
which
is
associated
with
bad
security,
because
people
use
it
with
a
short
key
and
so
on,
but
I
think
so
if
we
use
that
we
should
fine-tune
the
text
a
little
bit
to
not
to
get
less
negative
comments.
F
F
You
can
do
that
if
you
have
some
to
pass
encryption
algorithm,
but
I
think
none
of
the
common
algorithms
have
all
the
commonly
used.
Algorithms
have
a
well-defined
tag.
Yeah
and
if
it
doesn't,
you
don't
need
to.
The
tag
here
needs
to
be
removed
to
fit
in
the
46
bytes
in
laura1
and
so
on.
There
is
no
problem
if
the
tag
is
left.
If
you
don't
have
this,
if
you
don't
need
this
very,
very
optimized
messages,
but
the
tag
itself
here
does
not
provide
any
security,
as
explained
in
the
sigma
paper.
B
Yeah,
so
in
summary,
essentially,
we
would
be
good
enough
with
option
number
two.
If
we
were
if
we
had
only
the
cyphers
with
the
well-defined
tag,
but
you
are
saying
in
future
someone
might
standardize
ad
hoc
with
one
of
these
pipers
that
do
not
have
a
well-defined
tag
and
no,
I
think,
that's
very
unlikely.
Yeah.
F
F
F
F
F
B
F
B
F
F
But
looking
more
of
that,
I
think
it
basically,
the
same
things
apply
for
also
for
the
signature
and
also
for
tls.
Basically,
after
sending
the
third
message,
the
initiator
does
not
know
if
the
responder
has
or
can
calculate
this
session
key,
and
it
can
go
wrong
in
call
norman
at
all,
showed
it
in
a
very
theoretical
way,
but
you
can
also,
for
example,
the
responder
might
not
like
the
certificate
of
the
initiator
and
refuse
the
message.
F
F
He
has
key
confirmation,
or-
or
you
can
imagine,
co-op
use
cases
where
the
data
are
only
going
in
one
direction.
So
one
suggestion
has
been
to
add
optional.
Fourth
message
to
ad
hoc-
and
this
should
probably
not
be
it-
should
be
communicated
somehow
or
requested
by
the
initiator.
If
this
should
be
sent.
F
E
E
Well,
so,
if,
if
you
have
a
case
where
you
have
a
responder
who's,
always
a
server
and
therefore
the
point
you
know
where
was
the
point
about
the
initiator
is
not
the
os
core
client.
If
that's
always
the
case
that
the
ad
hoc
initiator
is
always
the
os
core
client
and
therefore
the
ad
hoc
responder
is
always
the
os
core
server,
then
we
never
need
it
right.
G
E
G
E
Will
solve
that
problem,
but
it
solves
the
problem
without
adding
any
complexity
to
ad
hoc,
just
make
sure
there's
always
a
response
right.
So
if
we're
in
agreement
with
that,
then
it's
only
the
case
when
that
point
is
not
true
when
the
ad
hoc
initiator
is
not
the
os
core
client
that
we
need
to
worry
about
about
the
question
of
whether
we
need
to
make
this
mandatory
to
implement.
E
F
E
B
G
B
G
I
G
Well,
no,
I
mean
the
problem
is
that
we
don't
really
know
about
the
applications
and-
and
we
don't
know
whether
applications
is
able
to
confirm
within
within
the
time
frame.
So
maybe
that's
that
message
four
would
be
the
right
way
to
get
key
confirmation
at
this
point
and
then
at
some
later
unknown
time
this
is
actually
used,
so
maybe
the
application
doesn't
really
know
cannot
really
say
for
a
long
time.
You
need
to
wait
before
before
the
application
is
actually
using
the
keys,
but
you
want.
F
F
F
B
B
F
B
K
F
So
here's
the
issue
about
t-e-e
assumption
this
was
also
raised
by
the
formula
verification.
They
wanted
more
clearer
assumption
on
where
ad
hoc
and
oscorp
were
implemented,
and
basically
the
trusted
execution
environment
has
gone
from,
basically
only
being
as
key
storage
like
tpm
to
being
a
general
execution
environment
like
intel,
stx
and
so
on
or
in
the
arm
trust
zone.
F
Then
then,
you
get
better
properties
if
that
is
in
ad
hoc,
then
or
score,
for
example,
if
the
assumption
is
that
ad
hoc
is
in
a
t,
e
and
o
score
is
outside
of
dte,
and
I,
based
on
the
discussion
in
in
on
github,
I
think
basically,
it's
possible
to
implement
the
whole
ad
hoc
protocols,
but
maybe
every
assumption
could
be
that
the
ad
hoc
keys
are
stored
in
in
a
tee.
There
are
keys
and
any
cryptographic
operations
on
them.
G
Yeah,
I
think
this.
This
is
what
what
the
reviewers
or
the
the
the
people
who
work
on
formal
verification
would
want.
Is
the
security
considerations
around
this
sort
of
what
what
benefits
do
we
get
from
storing
certain
keys
or
secrets
in
the
te?
What
what
other
properties
we
we
we
will
get
out
of
the
protocol.
So
that's
it's
more
like
an
understanding
of
how
to
use
te
in
the
context
of
ad
hoc
and
writing
that
down
in
the
security
consideration.
F
Yeah,
but
I
think
it
it
came
from
the
formal
verific,
but
I
think
it's
it's
not
so
they
they
will
not
use
ad
hoc.
I
think
what
is
interesting
is
how
should
we
give
guidance
to
people
using
ad
hoc?
Not
people
really
doing,
even
if
that's
also
good,
to
have
clear
assumption
for
people
doing
formal
verification,
but
I
think
no,
no
all
the
time
it's
a
bit
broader
than
that.
G
E
I
think
yep
go
ahead,
so
I
I
think
that
there's
clearly
a
a
pyramid
of
you
know
benefit
right.
There's
no
point
in
putting
the
the
ephemeral
public
keys
in
the
tee
and
not
the
long-term
public
authentication
key
right.
That's
a
that's,
probably
a
silly
thing
to
do
so.
I
I
think
that
should
be
documented.
More
specific
advice
really
depends
like
the
the
ephemeral
public
key.
If
it
lets
you
blow
up
the
nuclear
reactor,
then
maybe
it
should
go
in
the
t-e-e.
E
E
So
I
think
that's
going
to
be
very
specific
and
I
don't
think
our
document
can
really
say
that
I
think
it
should
simply
say
make
it
clear
what
keys
are
related
to
what
other
are.
Are
they
derived
from
or
or
related
to
something
and
the
loss
of
certain
keys?
What
does
that
result
in
and
that's
all
and
by
loss
I
mean
not
compromise.
I
mean
like
it
like
the
key
gets,
destroyed
or
or
can't
be
used
anymore
for
some.
E
F
I
think
I
I
think
what
michael's
said
is
a
good
start.
I
think,
unless
we
have
any
very
clear
I
I
don't
think
we
will
have
any.
I
think
the
implementations
will
look
very
different
and
we
we
have
to
allow
any
type
of
implementation.
I
think
we
can
only
give
guidance
as
michael
says,
explain
what
happens
in
in
different
cases.
If
you.
F
E
C
F
Let's
move
on,
then
we
have
forward
and
backward
secrecy.
These
are,
I
think
we
have
this.
We
have
already
discussed
this
in
the
aad
key
thing,
but
basically
re-running
one
option
to
get
forward
and
backward
secrecy
or
post-compromise
secrecy
is
to
re-run
ad
hoc
with
the
new
dfe
helmand.
Then
you
get
both
of
these
properties.
F
F
F
Is
that
it
it
periodically
for
signal
every
message,
but
you
could
do
it
every
nth
message
or
something
you
could
send
generate
a
new
ephemeral
if
a
helmet
key
and
send
to
the
other
person
who
just
calculates
a
new
key
but
doesn't
really
send
any
back.
So
you
have
ephemeral
static
if
a
helman
ping
back
and
forth,
and
this
requires
two
asymmetric
operations
on
the
initiator
and
one
on
the
responder,
and
this
would
then
be
a
little
bit
but
not
much
cheaper
than
rerunning
ad
hoc.
F
It
requires
one
message,
and
maybe
two:
if
you
want
to
have
a
ack
and
basically
half
the
amount
of
asymmetric
operations.
Comments
on
github
so
far.
Is
that,
let's
not
do
it,
the
trade-offs
are
or
not
worth
it.
That's
too
much
much
complexity,
and
if
you
want
good
security,
you
rerun
ad
hoc
instead.
F
Doesn't
seem
to
a
bit
complicated,
I
can
not
really
explain
either
exactly
what
security
properties
you
would
get
from
this,
and
it
might
also
lead
to
a
lot
of
synchronization
problems
that
are
might
be
easy
or
hard
to
fix.
So
I
think,
if
there's
no
comments,
we
go
to
the
next
slide
and
have
the
conclusion
that
we
don't
do
any
form
of
ratcheting.
F
F
And
the
use
of
sha
512
in
constrained
iot,
which
is
not
implemented
everywhere
and
then
also
discussion,
of
which
cypher
suit
should
be
mandatory
to
implement
if
any
selfish
suit
should
be
mandatory
to
implement
and
there's
a
lot
of
comments
on
this.
This
has
been
discussed
for
a
long
time
and
there's
comments
in
a
lot
of
different
direction.
F
F
F
F
Maybe
I
think
we
go
through
all
the
slides.
Unless
there's
any
comments,
then
performance,
several
people
have
pointed
out
that
they
want
they
have.
They
are
depending
on
low
latency
and
with
modern
devices.
It
starts
to
be
less
and
less
of
a
problem
but
curve
they
say:
curve25519
is
significantly
faster.
F
F
Is
a
number
I
got
from
a
company
recently?
If
you
search
on
the
internet,
you
can
find
very
different
differences,
but
it's
hard
to
compare.
Often
they
compare
unoptimized
code
for
p256,
so
I
think
the
difference
have
shrunk.
The
last
five
years.
You
could
see
larger
differences
five
years
ago
than
you
see
now
then
third
trade-off
here
is
security.
F
And
the
I
don't
know
exactly
why
renee's
set
up,
but
one
thing
is
that
deterministic
signature,
algorithms
are
not
very
good
for
accessible
iot
devices
because
of
side
channel
attacks.
John,
can
I
have
a
comment
for
a
second
absolutely
do
that?
I
don't
think
I
despise
it
like
that.
Okay,
yeah,
you
you,
you
use
quite
hard
words.
Sometimes
yeah.
F
D
So
I
I
think
both
ec
dsa
and
at
255
at
the
dsa
are
theoretically
they're
fine
monsters,
norske,
even
the
other
one
was
easy,
dsa,
the
only
problem.
The
main
problem
I
think
with
ed25519,
is
now
that
it's
deterministic
and
it's
basically
there
are
lots
of
papers.
There's
a
recent
one
in
the
ssr
standardization
crypto
conference
about
taming
the
many
versions
of
at
255.9,
and
I
think
that's
the
main
problem.
D
F
Then
so
question
here
is:
what
should
we
have
as
the
mti
cipher
suit?
If
anything,
it
does
not
seem
to
be
an
ideal
people.
Support
is
important.
So
if
you
have
a
single,
it
seems
that
ecdsa
p256
might
be
the
option,
but
other
people
has
there's
a
lot
of
people.
Also
wanting
the
security
and
performance
of
ed2519
different
group
of
people
wanting
different
things,
and
but
the
question
is:
do
we
do
we
have
to
have
a
mandatory
to
implement
algorithm
cosi?
Has
the
text
that
applications
using
codes
needs
to
define
the
set
of
security?
F
Algorithms
that
are
to
be
used?
Ad
hoc
is
not
an
application.
It's
it
would
be
used
by
applications,
so
maybe
we
could
have
the
same
text
or
we
could
have
both
of
these
algorithms
mandatory
to
implement.
So
I
think
this
is
the
technical
question,
but
it's
also
a
political
idf
question.
I
know
I
don't
think
the
ad
is
here
and
I
think
if
we,
if
we
don't
want
to
have
a
mandatory
to
implement,
then
I
think
we
need
to
confirm
with
the
80
that
that
would
be
acceptable.
F
B
F
F
F
Renee
has
suggested
a
wire
strass
version
of
ker
255
with
shaw
2056
that
solves
some
of
the
problems
with,
but
not
all
problems
with
the
other
two
hillary
started
talking
about
that.
Atf
should
maybe
look
at
standardizing
something
even
more
optimized
called
qdsa
and
there's
also
a
question
whether
shaw
256
will
be
the.
F
F
D
D
Oh
yeah
yeah,
so
this
slide
looks
very
busy,
but
essentially,
if
you
look
at
the
first
column
that
uses
that
is
listed
as
ecdsa256
and
ecdh256,
that
is
cypher
suite.
That's
currently
supported
in
ad
hoc
as
option
two
or
three
with
some
symmetric
component
as
well,
and
it
uses
the
well-known
list
p256
curve,
sha-256
and
ecdsa
or
vector
diffie-hellman
with
kdf
based
on
xia256,
the
second
column
it.
It
is
addox
suite
zero
one.
D
It
uses
the
at
two
five
five,
one
nine
sixty
scheme
and
it
uses
x25519
as
the
diffie-hellman
key
agreement
protocol.
And
if
you
look
at
those
two
columns,
you
will
see
that
there
are
some
sticking
points.
So
one
of
them
is
it's
not
clearly
visible.
Is
that
in?
If
you
use
the
second
column,
then
you
have
to
use
shout
512,
because
it's
used
as
the
fixed
building
block
in
that
signature
scheme.
D
What
I
would
like
to
suggest
considering
is
maybe
there's
room
for
another
suite.
That
looks
a
little
bit
more
like
the
nist,
well-known
ecdsa
and
co-factor
davie
hellman
in
terms
of
formatting
and
in
terms
of
the
curve
equations,
because
I
think
that
would
actually
lower
the
implementation
cost,
especially
for
implementation
that
either
want
to
implement
both
or
maybe
they
already
have
the
x2559
under
the
hood
or
they
have
already
existing
hardware.
So,
let's
go
to
the
next
slide.
D
I
D
And
I
suggest
basically
adding
as
another
suite
and
I
only
focus
on
the
public
key
components
where
essentially,
instead
of
using
the
nist
curve,
we
use
an
equivalent
of
curve25519,
but
it's
whipped
into
a
format
that
is
fits
right
into
the
nit
specifications
and
it's
called
in
in
the
speak
of
the
elvic
draft.
I
have
on
this
y25519
where
y
stands
for
ifstras
and
the
main
features
of
that
is
are
that
devices
that
are
currently
out
there.
D
So
one
other
thing
I
want
to
mention
on
this
slide
is
the
the
last
kind
of
brown
colored
thing
it's.
If
people
already
implemented
curve
255
online
using
the
so-called
montgomery
letter,
they
can
just
reuse
99.9
percent
of
that
code,
just
to
add
a
little
wrapper
to
implement
what
I
suggest,
and
I
think
it
goes
too
far
to
go
into
the
details,
but
I
have
some
further
reading
on
the
next
slide.
D
I
think
it
should
go
to
iesg
soon,
hopefully-
and
I
have
also
some
background
information
that
explains
it
without
having
to
read
through
the
draft-
and
I
presented
that
already
like
two
and
a
half
years
ago.
So
that's
the
last
item
here
then
this
bias
trust
version
has
been
specified
in
some
form
in
some
nist
draft
implement
specifications.
So
if
they
get
issued
then-
and
we
see
it's
compatible,
we
can
just
basically
make
sure
it's
the
same.
D
D
D
If
we
use
this
approach
or
if
devices
want
to
speak,
both
nist
curve,
p256
and
curve255l9,
they
can
do
it
in
a
lower
cost
manner
and
we
don't
have
to
implement
xiao
256,
because,
most
I
I
spoke
with
some
people
at
synopsis,
for
example,
and
they
they
don't
do
one
or
they
go
they.
They
only
implement
things
that
are
not
tailored
to
one
implementation.
They
just
do.
D
Yeah,
the
transformations
step
is
essentially
just
a
field
edition,
and
it's
it's
it's
depending
on,
of
course,
how
the
how
the
code
is
being
implemented,
but
if
it's
software
based
it's
just
a
one-line,
call
to
a
field
edition
and
then
an
online
call
to
a
filter
dish
in
the
other
way
around
to
go
back
so
but
yeah.
So
if,
if
you
want,
I
can
I
there's
lots
of
material
in
this
elvic
draft
to
to
support
those
kind
of
claims
right.
D
D
The
performance,
I
think
the
main
performance
is
the
scalar
multiplication
in
electric
curve
crypto,
although
in
easy
dsa
the
you
have
to
also
do
a
snowballed,
inversion
step,
which
makes
it
slightly
more
expensive,
but
not
that
much
so
then
so.
Obviously,
it's
the
performance
goes
down
a
little
bit,
but
it's
only
a
few
percent.
C
One
sorry
when
I
I
just
conscious
of
time
we're
at
the
15
minutes
remaining,
so
I
mean
I
guess
we
want
to
discuss
the
concept
of
mandatory
to
implement.
Yes,
yes,
stephen
and,
and
then
you
know
whether
a
new
cypher
sweeper
from
an
rfc
yet
is
an
appropriate
choice.
Is
probably
the
second
question
not
first.
F
D
D
B
G
F
F
So
I
think
I
think
doing
like
couples.
It
sounds
like
you
have
two
very
strong
camps
with
different
opinions
here.
So
I
think
doing
acoustic
would
be
good,
but
we
probably
need
to
talk
to
ben
to
confirm
that
that
would
be
an
he
thinks.
That's
an
acceptable
option.
So
we
we
don't
get
stuck
in
isd
later.
D
F
D
So
the
thing
that
I've
been
looking
at
yesterday
is
whether
the
x25519
protocol
would
be
able
to
get
a
fip
stamp,
and
currently
I
don't
know
so-
maybe
if
you
want
to
have
a
look
at
that
as
well,
because
I
think
it's
important
that
some
of
these
devices
that
you're
targeting
that
you
don't
block
out
a
particular
market
and
use
government
market
is
not
huge.
But
it's
usually
it's
perceived
to
be
a
good
thing.
If
you
are
also
compliant
with
niched
things
right.
C
C
B
That
was
a
question
I
mean,
I
thought
the
question.
My
personal
opinion
is
that
doing
the
cause
is
more
of
a
generic
rfc
than
standard
the
net
hockey
is
and
that
we
will
be
losing
in
terms
of
interrupt
interoperability
between
the
between
the
implementations.
If
we
go
that
way
again,
that
is
my
personal
opinion,
so
I'm
intending
to
vote
for
having
an
mpi
street,
but
I
understand
that
there
are
different
opinions
involved.
C
So
just
I
think,
in
terms
of
the
process
of
one
thing,
to
notice
it's
kind
of
unpredictable
as
to
whether
you
get
given
out
whether
you
get
problems
from
the
isg
or
at
ease
with
respect
to
this
or
not
it's
some.
You
know
you're
trying
to
predict
the
future
and
the
personnel
on
the
isg
at
the
time
is
not
always
predictable.
C
Second
thing
to
just
offer,
as
an
input
is
in
this
case
there
might
be
an
option
to
say
something:
like
you
know,
if
a
device
is
less
constrained,
then
it
should
implement
both
these
two
cypher
suites
and
if
it
is
constrained,
then
we'd
encourage
use
of
one
of
them,
but
we
know
that
you
know
not.
Everybody's
gonna
do
that.
So
there
might
be
some
halfway
house
here.
That
makes
sense.
E
Okay,
so
my
suggestion
is
that
I
think
we
should
allocate
a
code
point,
that's
fine,
and
particularly
if
we
can
do
that
without
causing
a
down
ref.
If
not,
then
I
believe
that
the
elwig
document
should
allocate
the
code
point
in
our
registry.
That's
fine
by
the
way
it
works.
Let's
not
decide
on
mandatory
to
implement
in
this
document
is
not
going
to
fly
it
is
there
are
so
many
different
considerations.
E
Ipsec
uses
an
rfc
820
8221
is
the
the
latest
one
with
a
series
of
should
plus
and
must
and
should
minus
so,
for
instance,
p
256
suites
are
probably
should
minus,
because
they're
hardware
accelerated
right
now,
but
many
people
don't
like
them
and
this
algorithm
may
be
as
a
should,
plus
and
maybe
ed
2519
is
a
must
or
not,
but
put
that
in
a
different
document.
That's
going
to
change
over.
G
C
I
I
think
it
might
be:
there
may
be
middle
ground
there.
That
makes
sense
for
implementers,
because
I
think
a
lot
of
people
write.
Generic
libraries
will
implement
everything
and
it's
people
on
the
constrained
side.
Who'll
have
to
pick
down
to
one
or
two
things,
and
I
think
we
could
give
them
good
should
level
guidance
that
would
work
for
lots
of
them,
even
though
some
will
do
weird
things.
G
E
I
E
I
E
E
C
Again,
time
check
we're
down
to
four
minutes
and
we
had
francesca
who
I
think
we
pushed
last
time
and
so
and
we
probably
won't
sort
out
this
issue
in
four
minutes
anyway.
So
maybe
suggest
we
switch
over
to
francesca's
report
sounds
good
and
then
we'll
we'll
talk,
then
at
the
very
end
about
whether
to
have
another
interim.
I
Good,
thank
you.
So
I
just
wanted
to
report
quickly
about
our
first
edoc
interrupt
next
slide,
so
we
organized
something
very
shortly
with
two
implementers.
So
there
was
timothy
and
stefan
and
a
tweak.
We
had
two
hours
interrupt
to
test
those
two
implementation
implementations
against
each
other
and
we
tested
only
based
on
the
exchange
that
is
described
right
now
in
the
in
the
draft
in
appendix
b1.
I
So
that
was
the
signature
authentication
x,
509
certificates
with
the
method
0
and
the
selected
cipher
suite
was
the
number
zero.
So
these
are
the
algorithms
that
were
used
and
the
result
is
that
it
was
successful
in
one
direction
and
so
the
exchange
passed
all
verification
and
then
the
messages
were
created
and
verified,
etc,
but
on
the
other
direction
it
was
not
successful,
but
not
because
of
adoc
implementation,
but
because
of
connection
problems.
I
That
is
contains
more
test
vectors
than
those
that
are
in
the
draft
and
also,
as
you
might
have
seen.
I
I
started
doodle
about
an
interrupt
after
the
holidays,
possibly
in
the
third
week
of
january,
and
if
you're
interested
to
participate
would
be
great,
please
go
and
let
us
know
so.
We
can
pick
the
best
date
for
everybody
and
that's.
B
C
C
C
B
So
that
would
be
all
thank
you
all
for
attending.
I
hope
yeah,
I'm
recording
when
fine.
So,
let's
enjoy
the
holidays,
let's
think
on
and
think
up
on
the
mailing
list
and
on
github.
Regarding
the
specific
issues,
we
will
launch
the
poll
this
time
about
the
the
dates
for
the
next
interim
and
yeah.
I
guess
that's
it.
Even
if
you
want
to
add
up
something.