IEEE P1363 Study Group for Future Public-Key Cryptography Standards Thursday, August 24, 2000 Flying A Studio meeting room, University Center, UCSB, Santa Barbara, CA. MINUTES Handouts: Agenda May 2000 Study Group Meeting Summary May 2000 Study Group Meeting Minutes Proposed Purpose and Scope of IEEE P1363.1 P1363.2 Preliminary Outline Sample PAR form In attendance: Ari Singer, NTRU (chair, P1363 working group) Don Johnson, Certicom (vice chair, P1363 working group) Dan Lieman, NTRU (treasurer, P1363 working group) William Whyte, Baltimore (secretary, P1363 working group) Dan Bailey, WPI Lucien Dancanet, Citigroup Whitfield Diffie, Sun Microsystems Craig Gentry, DoCoMo David Jablon, Integrity Sciences (by phone) Gurgen Khachatryan, Cylink David Kravitz, Wave Systems Corp. Yann Loisel, SCM Satomi Okazaki, NTT MCL Leo Reyzin, MIT/RSA Security Allen Roginsky, IBM Roger Schlafly, Information Security Corp. Jerry Solinas, NSA David Sowinski, Information Security Corp. Dave Stern, Intel Janusz Szmidt, Warsaw University Tom Wu, Arcot Start the meeting at 2.07 1. Introduction of study group and working group Singer introduced the study group. The working group has existed since 1994 and has standardized techniques using the Discrete Log, Elliptic Curve Discrete Log, and Integer Factorization techniques. In 1997, in the interests of locking down the original document, we split the established techniques from the less established techniques and finalized the 1363 standard, containing the established techniques, which will be published tomorrow. Over the last year we've become aware that some of the newly submitted techniques don't fit inside the classifications that we've used in the previous document, so we set up the study group to investigate the possibility of putting these additional techniques into extra documents. The study group is distinct from the working group. Everyone at the study group is a voting member. To be a voting member of the working group you have to fulfill certain attendance requirements. The meeting fees will be $30 per half-day to cover the room. 2. Establish meeting goals and guidelines The chair would like to have votes on the P1363.1 and P1363.2 PARs. 3. Update on status of Study Group with sponsor Singer spoke with Don Wright about the group. He told Don about the two outstanding PARs, and that the registry idea is still under discussion. Under IEEE rules a study group can normally only exist for six months, and must then submit a PAR to the IEEE. Don has extended our lifetime to March 2001. Singer went through the PAR form. His understanding is that the P1363 working group is allowed to take on the additional projects, and that it is appropriate and usual for the Working Group Chair to be the official reporter on the individual projects. All the projects will be sponsored by the Microprocessor Standards Committee. The final PAR submission deadline of the year is October 27th. 4. Approve Agenda Proposed: Reyzin, Seconded: Dancanet. Passed by massed enthusiasm. 5. Approval of May minutes Singer has been looking at the IEEE guidelines for minutes. According to the guidelines, speakers at meetings shouldn't be identified by name. The feeling of the meeting was that the current style of the minutes is acceptable. Matters arising: * There was no teleconference. Bailey said that XTR is a slight variation on the odd characteristic extension field that's now in P1363a. He wrote that section of P1363a so that XTR would be easily supported. Motion: Adopt amended minutes. Proposed Lieman, seconded Reyzin. Passed by acclamation. Motion: Adopt meeting summary: Proposed Whyte, seconded Lieman. Passed by acclamation. 6. Discussions about Project Authorization Requests 6a) P1363.1: Specifications for Lattice-Based Public-Key Cryptographic Techniques Lieman presented the PAR for P1363.1 and the associated strawman document. Per Burt Kaliski's suggestion last time, 1363.1 is restricted to lattice-based techniques. This should give a manageable document. There are other techniques, such as those using non-abelian braid groups, which are not going to be included in this document. Comments on the strawman document: * Lieman identified Annex F, "Comparison of Cryptographic Schemes", as a new feature of P1363.1 compared to P1363. The idea comes from dicussions of the value add from a registry: that we should be able to make fair statements comparing things. The annex would be informative, not normative, and qualitative, not quantitative. The working group need to investigate what this might comprise. Kravitz wondered if this aim should be included in the scope or purpose of the PAR. Lieman considered it to be a bonus feature which wouldn't necessarily survive the standardization process, and so shouldn't be part of the scope or purpose. * In section 5, we should say "... scheme conventions", not "schemes". * We need a bibliography (an Annex G). * Johnson suggested calling the NTRU family the "shortest vector family". * Is NTRU trademarked? * "Authentication" should be "Identification". Comments on the PAR: Scope and purpose: Reyzin queried the use of the term "second-generation". The group recommended that the form be filled in as follows (apart from the scope and purpose, already discussed): 4. The document is a "Standard for". Title: as given in PAR. Name of Working Group: IEEE P1363 Working Group. Official Reporter: Ari Singer (as working group chair) Sponsoring Society/Committee: Microprocessors Group 5. Type of Project: New Standard 6. Life Cycle: Full Standard 7. Individual Sponsor Balloting. 8. Completion Date: 2003 11. IP: Yes to everything. 12. No 13. Don't know 14. No 15. No requested coordination 16. No extra notes. Motion: Approve PAR: Proposed Lieman, Seconded Kravitz. Passed 15 for, 1 against, 3 abstentions. Tomorrow, when we have been transformed into the working group, we will vote on whether the WG will take the standard proposed to it by the SG. 6b) P1363.2: Specifications for Public-Key Cryptography: Password-Based Techniques Jablon presented on the PB-AKE PAR by phone. Comments on the PAR: The study group suggested several changes to the PAR. Purpose: * Change "Insuring" to "Ensuring". * Add "off-line" before "brute-force attacks". * Change "authentication" to "identification". * Remove "as described in P1363 and P1363a". * In second paragraph, change "safely" to "securely". * In third paragraph, change "relevant" to "appropriate". We discussed the strawman document. We discussed what the strawman document [and the PAR] meant by referring to a "protocol". Jablon characterized it as using the output of one scheme as the input to another, in a context where there is more than one possible flow. We should handle the case where, for example, a malicious attacker manages to get one party to abort the protocol. There was a request that Jablon attempt to use terms other than "symmetric" and "asymmetric" to describe the trust model language. Whyte suggested considering the client protocol general model and the server protocol general model separately. There is a typo in section 9.2, first paragraph: ECSTKA for ECSPBKA. We went through the PAR form. 4. The document is a "Standard for". Title: as given in PAR. Name of Working Group: IEEE P1363 Working Group. Official Reporter: Ari Singer (as working group chair) Sponsoring Society/Committee: Microprocessors Group 5. Type of Project: New Standard 6. Life Cycle: Full Standard 7. Individual Sponsor Balloting. 8. Completion Date: 2003 11. IP:Yes to everything. 12. No 13. Don't know 14. No 15. No requested coordination 16. No extra notes. Motion: approve amended PAR. Proposed Dancanet, seconded Whyte. Passed 15 - 0 - 0. 7. Discussion about registry project Singer reviewed the registry concept. The registry would require two standards: a process one which describes how the registry oversight committee would oversee the maintenance and evolution of the registry, and a format document which outlines how submissions to the registry should be formatted. Stern had put together a set of slides to promote discussion on the registry. Relationships between techniques could be documented using message diagrams, graphs to demonstrate relations between schemes and primitives, maybe things like spi calculus. He suggested an XML-like syntax for recording metadata about techniques in the registry. He also suggested splitting responsibility for content and process. The registry can include extra mathematical techniques; we've talked about it in terms of schemes and primitives up till now because that's the way the discussion's gone. Solinas suggested that we should consider whether the registry is there as a service to people who missed the deadlines for the earlier standards, or as a repository for implementation information for people implementing the earlier standards. Singer gave a presentation on issues the study group should consider: - will the working group serve as the registry board for a registry of an array of public-key techniques? (Schemes, protocols, number-theoretic techniques) - what will be the cut-off point for techniques NOT to be included in the registry? - what will the community gain from the registry? - clear presentation of techniques - easy to compare techniques - reduces burden on editor - What are the problems with the registry? - lot of work to standardize techniques - not enough interest to do the work - difficult to maintain. Need to update relationships between techniques. - Is this the right group to do the process document? - Can we handle doing process and format? - Who would the audience be? - Is the goal to specify everything or just the ones we think are "good enough"? Reyzin sees the registry as an excellent way of moving techniques from Springer to a more general availability. Many academic papers don't specify a technique precisely enough to implement it. Solinas suggested that the registry would work better if it was accessible to non-IEEE members. Singer will investigate with our sponsor what arrangements we can make for non-IEEE members to have access to it. Solinas suggested that the registry should include test vectors. Reyzin would like someone to put together an estimate of how much work the registry will actually be to maintain. 9. Plan future work of the study group Singer reviewed action items: - P1363.1: Singer will put together PAR in electronic form, submit it to mailing list, then submit to our sponsors. (Note: anyone in the Study Group can call an e-vote) - P1363.2: Jablon will put together PAR in electronic form, and Singer will submit it. - Registry: Singer and Stern to assemble further study material. Singer to talk to IEEE about the registry: availability to public, voting method. 10. Adjourn study group Motion: Adjourn. Proposed Bailey, seconded Stern. All done!