 So, what it works when it's you just not me. Yeah. Okay. Got it. All right. So, I'm John Kelsey. I'm here to talk to you a little bit about what NIST is up to. So, first thing is there's lightweight crypto standardization effort going on, Nicky Mouha is running that both in and Meltum and Meltum Turin and Kerry McKay, the main people on that. The goal here is to standardize crypto for constrained environments. There's a call for submissions that is going to be coming out probably in the next couple weeks we hope for a lightweight AAD scheme and this is all the contact information. So, if you're interested in this, this is the sort of thing you're interested in. So, we're also starting an effort at threshold cryptography standardization, stuff like threshold signatures, right, or a threshold decryption. And so, there's a draft NISTR. A NISTR is kind of our version of a white paper, so it's basically a white paper. Threshold schemes for crypto. There are public, we, it's out for public comment. We want public comments basically about a month and a half. And then there's also going to be a workshop in March. And so, if this is the sort of thing you're working on or you either you're doing something practical with this or you're involved in this in terms of research, this is a good time to get involved. You can really have a big impact on what we do. The post-quantum competition that's not a competition is still non-competitively competing, I guess. So, you can see, you are here where the red arrow is. So, I guess the interesting thing, the most interesting thing for most of you to know is next year's post-quantum standardization workshop is actually at crypto. I think it's right after, I think it's like the next day, if I remember correctly. So, you almost by default will get to come to this if you just like stay an extra day or something. Also, if you're a submitter, you probably are, you're paying attention to this. But if you want to merge your submission with somebody else, that needs to get in by November 30th. So, okay, update to 800-131-A-REV-2 draft. Now, this sounds exciting. And believe me, it is. Okay, so, the big idea is this is a document where we say what kind of how, what key links you should be using, what algorithms you should be using. And this is where we are right now working on seeing if we can get triple des to go away, or go away as much as possible. So, right. So, there are two ways that, the comment period is ending very soon. So, if you want to have a say on this, now's the time. And there are two directions to this. One is, yes, please get rid of the damn thing. Another good thing to say, though, is wait if you do this, you'll destroy my industry. And if that's all, if that's your feeling, then please tell us and make a formal comment so we know we're not, you keep us from walking off a cliff. 890B, the Entry Resource Standard, is out, it's been out for about like seven months, eight months. And we've received lots of feedback, and we're going to do something new. This is, we're going to be doing this with all of our special pubs. Which is, instead of waiting, collecting all the errors, and waiting three years to the next revision to correct bugs, we're going to do, we're going to put out a corrected version with an errata list. Now, this isn't like you change any of the technical content. This is where, you know, we screwed up a formula, or we put a typo in, or we phrased something so that it was ambiguous, and we do fixes. So that's going to be up, I think, probably in the next two or three months. And a big point here is we have these comment addresses, right? And this is true for all of our, all of our projects. You can send us comments even when we're not out for public comment, and we'll try to address them. Sometimes we can address them. If it's like a typo, we can address it quickly. If it's like, you're completely wrong, and this is broken, then it'll take a little while. But we'd like to hear comments even out of season, okay? The NIST beacon is a source of public randomness. It issues one signed, timestamped, hash chained random number every minute. There's a new format for it. The new format has lots of security features. It supports combining pulses from multiple beacons. Coincidentally, there are two other organizations that are running beacons and are going to be, they're planning to move to our protocol into our format, okay? And there's a white paper coming out on this very soon, and you can see the website. So if you want to come play with the NIST beacon, please do. Last thing I want to talk about is FIPS 186, the digital signature standard. This has been, you know, this is like the fifth revision of it, as you can tell from the number. It's going to be out for public comment soon. It's not out yet, but it will be soon. Some of the important points, EDDSA, deterministic ECDSA, RSA with big moduli. I don't know that we are including, like, Dan's post-quantum version, though, so. And all this stuff, so if you have comments, you know, basically pay attention and when it comes out, we'd love to hear from you. And that's all for this. Thanks. Why don't you stick around for a few more minutes? Okay. Hi. Well, I'm still John Kelsey. So, this is, I'm just giving you sort of an announcement of some work that I've been doing with Aish, who's here from UCSB, and then Dana and John, who are from University of Maryland, on two new hashing constructions. This is called Shape and Expand. The big goal here is just to make existing hash functions, stuff like SHA-2, more useful. So there's one construction for turning any hash function into a parallel hash. Another for making it variable length. Both of them have the same security as the underlying hash with the, you need to read the paper for the fine print. And both can be built on top of any hash function. And there's also a customization string for domain separation. And so there are security proofs here. We have a collision resistance. This is very straightforward. It's really easy to see that if you find a collision in one of these, it turns into a collision in the hash function. Based on having the right definition for pre-image attacks, you get pre-image resistance from, you get the thing where if you find a pre-image to shape, you have an algorithm for it, then you can use that to find a pre-image for the hash function, also for expand. And then we have indifferenceability proofs, assuming that the hash is a random oracle, and assuming the hash is Merkle-Damn-Garden, the compression function is a random oracle. So this is maybe worthwhile. There's obviously not enough time to go through and talk about this in detail. This is a picture shape, but if you really want to do it, you're going to look at the paper when it comes out. Expand is kind of interesting because it gives you random access to alarm-along strings. It's basically like a Zoff, but with random access, like shake, but with random access. So it's effectively every input string has a 2 to the 64 block output string, and then each call to expand lets you select one of those blocks, whichever one you want by an index. So I'm not going to talk about how it works because there's not enough time. Big plan here is we're going to try to do a special pub. We've also got a paper that we're working on, and we'll try to get the paper out relatively soon. And that's it. Thanks a lot.