IEEE P1363 Working Group for Public-Key Cryptography Standards Meeting Minutes Thursday, August 22, 2002 UCSB University Center – Flying A room, Santa Barbara, CA Attendance: William Whyte, NTRU (Chair) Ari Singer, NTRU (Secretary) David Jablon, Phoenix Technologies (Treasurer) Wei Dai, Groove Networks Pieter Kasselman, Baltimore Technologies Kristin Lauter, Microsoft Research David Kravitz Pil Joong Lee, Postech Roger Schlafly, Information Security Corporation Jerry Solinas, NSA Tatsuaki Okamoto, NTT Byoungcheon Lee, Joongbu University Rei Safari-Neuni, Univ. of Wallangong Louis Goubin, Schlumberger Sema Yuliang Zheng, UNC Charlotte Burt Kaliski, RSA Laboratories (Teleconference) Handouts: March 2002 Meeting Minutes (unapproved) Draft Agenda P1363 Bylaws July 2002 Teleconference Meeting Minutes e-Motions summary The meeting was called to order at 2:05 pm. 1. Overview of P1363 working group ============================== William Whyte gave a summary of the P1363 working group history and current status. 2. Approval of agenda ===================== Some discussion about voting rights. Since there have only been two working group meetings since the last Crypto meeting. Those that attended more than half of the last Crypto meeting have voting rights at this meeting. 3. Presentations ================ 3a. SFLASH - Louis Goubin Main points: Signature scheme, strong security, patent free, high speed, smartcards oriented, easy side-channel attacks protection. Part of this work is an output of project “Turbo-signatures”. Designed to have a security level of 2^80. Part of the family of “multivariate” public-key schemes. Related to C* and the updated C*--. Available at www.cryptosystem.net/sflash or www.cryptonessie.org. It went to phase II of the NESSIE project. Use a public function F and compose it on left and right by multivariate affine functions s, t. Signature is 259 bits long. 37 Field elements in GF(128) represented as 7 bits each. Secret parameters s and t are each 37x37 matrices and there is an 80-bit secret value used to compute secret values in each signature. (2.45 KB) Public key is a set of n (which is 37) quadratic polynomials, however only the first 26 are made public and checked. The remaining 11 polynomials must be kept secret. (15.4 KB) Pentium 500 2.7 ms, 0.8 ms verify, key pair generation less than 1 second. About 22,000 bits to generate to create the secret key. 3b. Updates on Signcryption - Yuliang Zheng 3 Parts of original signcryption proposal. Provides the function of digital signature and public-key encryption with less cost than doing both individually. Public parameters – p, q, g (as DSA), G, H (one-way hash functions). Each party has public and private key as DSA. Three different ways to generate the s value of the signature. New proofs written recently that are more rigorous than original 1997 proofs. Assumptions of security of GAP DH for confidentiality and standard DL problem for unforgeability. There was some discussion about how an independent third party might verify that a signature is valid. There are many variations including a more complex version that gives a zero-knowledge proof to the third party. The proof in the paper covers the fact that the same key is being used for both the signing operation and the decryption operation. However, if you use two different keys, one for signing and one for verifying, this portion of the proof would not be necessary. There have been some other developments in signcryption – parallel, ID-based, threshold. Short break. Burt Kaliski called in at 4:00 pm. 4. P1363a Ballot comment resolution =============================== Discussion about point compression techniques. Lauter suggested that we consider adding the DropY point compression technique. MOTION 1: Add DropY technique as an additional point representation method that does not distinguish between two points with the same X coordinate. Also add a reference in ECIES that this technique is another supported technique for point representation. This technique only encodes the X coordinate. Indication byte is chosen so as not to collide with any other first byte from EC2OSP. Proposed Schlafly, seconded Solinas. Passed unanimously. Suspended meeting at 5:15 pm. Thursday, August 22, 2002 UCSB University Center – Flying A room, Santa Barbara, CA Attendance: William Whyte, NTRU (Chair) Ari Singer, NTRU (Secretary) David Jablon, Phoenix Technologies (Treasurer) Wei Dai, Groove Networks Pieter Kasselman, Baltimore Technologies (morning only) Pil Joong Lee, Postech (morning only) Roger Schlafly, Information Security Corporation (morning only) Kristin Lauter, Microsoft Research (morning only) Tatsuaki Okamoto, NTT David Kravitz (morning only) Burt Kaliski, RSA Laboratories (Teleconference, morning only) Daniel Brown, Certicom (Teleconference) Tom Wu, Arcot (Teleconference, afternoon only) Phil MacKenzie, Bell Labs (Teleconference, afternoon only) 5. Meeting minutes review ======================= The group reviewed the meeting minutes from the Minneapolis meeting in March and the teleconference in May. MOTION 2: Motion to approve both minutes. Proposed Singer, seconded Jablon. Passed by acclamation. 6. Officers report ================ There are no special issues to report from the Chair. Singer stated that a new voter list will be made available before the next meeting. The minutes for the teleconference and March meeting will be sent to Solinas to add to the web site. The e-Motions from the past year will be added to the meeting minutes for this meeting. ------------------------------------------------------------ IEEE P1363 E-MOTION 2001-6: Officer Elections The candidates for the 5 IEEE P1363 WG offices are: Chair: William Whyte Vice Chair: Don Johnson Secretary: Ari Singer Treasurer: David Jablon Primary Editor: David Stern E-voting opens: Friday, September 28, 2001, 5:00 pm EST E-voting closes: Monday, October 8, 2001, 5:00 pm EST E-MOTION 2001-6 had the following vote count for officers: Chair: William Whyte (10 votes) Vice Chair: Don Johnson (10 votes) Secretary: Ari Singer (10 votes) Treasurer: David Jablon (10 votes) Primary Editor: David Stern (10 votes) Eligible voters casting votes on E-MOTION 2001-6: Brenner, Dai, Johnson, Kaliski, Kravitz, Lee, Lieman, Okazaki, Singer, Stern ------------------------------------------------------------ IEEE P1363 E-MOTION 2001-7 : The IEEE P1363 working group approves changing P1363a to reflect the amendments to EPOC circulated (via e-mail) by Tetsutaro Kobayashi on August 28th, 2001. The editor may implement this resolution subject to comment by the working group and verification by the chair, but without further vote. Proposed: Satomi Okazaki Seconded: William Whyte E-voting opens: Monday, October 8, 2001, 5:00 pm EST E-voting closes: Thursday, October 18, 2001, 5:00 pm EST IEEE P1363 E-MOTION 2001-7 PASSED: 8-0-0 Eligible voters casting votes on E-MOTION 2001-7: Brenner, Dai, Kaliski, Kravitz, Lee, Okazaki, Singer, Whyte ------------------------------------------------------------ IEEE P1363 E-MOTION 2002-1: The IEEE P1363 working group authorizes the editor to produce a revised draft of IEEE P1363a based on the proposed ballot response circulated by Burt Kaliski on May 14, 2002, and authorizes the chair to submit the revised draft for ballot recirculation, pending resolution of the point compression and security proof text issues. This motion allows for editorial changes and minor corrections to be made to the draft before recirculation without a re-vote. This motion anticipates a separate vote or votes on the point compression issue, and a separate vote or votes on the security proof text issue. If after approval of this motion, major changes to P1363a, in addition to the changes mentioned above, are deemed necessary by the working group, this vote shall be voided and a new vote shall be required for the working group to submit the draft standard to ballot recirculation. Proposed: Burt Kaliski Seconded: Ari Singer E-voting opens: Wednesday, May 22, 2002, 5:00 pm EST E-voting closes: Saturday, June 1, 2002, 5:00 pm EST IEEE P1363 E-MOTION 2002-1 PASSED: 8-0-0 Eligible voters casting votes on E-MOTION 2002-1: Brenner, Brown, Jablon, Johnson, Kaliski, Kravitz, Singer, Whyte ------------------------------------------------------------ IEEE P1363 E-MOTION 2002-2: The IEEE P1363 working group will maintain the current point compression methods in IEEE Std 1363 / P1363a, and defer further consideration of point compression methods to future amendments (if any). The rationale is that alternate point compression methods are not yet sufficiently established, and should be studied as part of a new work effort. The chair is authorized to prepare a response to the ballot comment on point compression methods accordingly. Proposed: Burt Kaliski Seconded: Ari Singer E-voting opens: Monday, June 10, 2002, 9:00 am EST E-voting closes: Thursday, June 20, 2002, 9:00 am EST IEEE P1363 E-MOTION 2002-2 FAILED: 3-8-0 Eligible voters casting votes on E-MOTION 2002-2: Bailey, Brenner, Brown, Dai, Jablon, Johnson, Kaliski, Kravitz, Lee, Singer, Whyte ------------------------------------------------------------ IEEE P1363 E-MOTION 2002-3: The IEEE P1363 working group approves the following changes to P1363a: * In DL/ECIES, rather than calling the EC2OSP primitive directly, call a "specified point representation method", where the method is a parameter of the scheme. EC2OSP would be mentioned as one example, but not required. * Move EC2OSP back to the informative Annex E (i.e., reverse the previous changes that moved EC2OSP to Clause 5). This motion does not require a new point compression method to be added to P1363a. It is anticipated that such a decision will be addressed by a separate vote or votes. The editor may implement this resolution subject to comment by the working group and verification by the chair, but without further vote. The chair is authorized to prepare a response to the ballot comment on point compression methods accordingly. Proposed: Burt Kaliski Seconded: Ari Singer E-voting opens: Friday, August 9, 2002, 12:00 am EST E-voting closes: Monday, August 19th, 2002, 12:00 am EST IEEE P1363 E-MOTION 2002-3 PASSED: 5-1-1 Eligible voters casting votes on E-MOTION 2002-3: Brenner, Brown, Jablon, Kaliski, Kravitz, Singer, Whyte ------------------------------------------------------------ 7. Ballot comment resolution for P1363a (continued) ========================================== Discussion about the e-mail from Kaliski about fixing the use of the word “proof” in the text. Some minor changes were made to the proposed text on the discussion of the security of EME1. MOTION 3: Accept the proposed changes to address the ballot comment by Schlafly on security proofs. Proposed Schlafly, seconded Singer. Passed by acclamation. Kaliski asked for assistance in updating the publication information of the references in P1363a. There were 2 or 3 people appointed as proofreaders for P1363 to make sure that the agreed upon changes have been implemented correctly. Whyte and Schlafly will review P1363a to ensure that the changes from the votes and motions are correct. Kaliski will have a draft with everything except for still open issues by the end of next week. Discussion about point compression. Dai suggested that DropY need not be mentioned explicitly, that one could send the point as if it were a compressed point and the sender and recipient could use the compression techniques or not, depending on the implementation. This would have the advantage that it would not break existing implementations that use point compression. Schlafly clarified the reason for his comment. Three advantages to his proposal: avoid the Certicom patents, the alternate methods are more efficient and there is a gap in the point compression techniques for odd prime extension fields. Whyte stated that the patent issue is entirely speculative and is not appropriate discussion for an IEEE working group. MOTION 4: Each elliptic curve point to octet string format will have its own primitive. The formats will be non-overlapping. All techniques will be normative and in clause 5. DropY to be in a separate subclause from non-lossy point compression techniques. ECIES “should” use a point representation method from clause 5. Proposed: Singer, no second MOTION 5: Motion to add the MSB technique that may be used for binary and odd-characteristic extension fields as described in Roger’s e-mail from (6/19/02), not to replace any existing technique. Also a note to be added describing more efficient methods than computing FE2IP for performing necessary comparisons. Proposed: Schlafly, seconded Dai. Passed without dissent. MOTION 6 : See motion 4. Proposed: Singer, seconded Dai. Vote 8 FOR, 1 AGAINST. Vote passes. MOTION 7: Proposed to add a note to the point representation section saying that MSB representation method is more efficient and that the y/x method is left in for compatibility reasons only. Proposed: Schlafly, no second. 8. P1363.2 Discussion ==================== Submissions have been closed on the P1363.2 draft. The techniques proposed are a superset of the ones that will ultimately be included in the draft standard. The PAK method updates have not yet been made. MacKenzie said that he would have the text done for that before the end of September. PAK-Z is an intended replacement for PAK-X. The working group reviewed various portions of the draft. Wu had proposed a change in SRP3 that allows the value u2 to be the constant 1 for compatibility or 3 to avoid a known attack. This is being changed to having RFC 2945 mode, which sets the value to 1 and the value will be 3 otherwise. Some discussion about where one puts key validation. If all of the schemes that use key validation techniques do it the same way, we may consider adding the key validation operation into the primitives themselves instead of specifying them in the scheme. The group reviewed some of the rationale in annex C. Before we define the rationale for what is in the standard, we should decide what we want the criteria to be. Jablon will look into creating a table similar to the one produced in the Stockholm meeting in 1999 to compare and contrast the different techniques. Other discussions ensued about the use of entropy and some editorial changes were made. 9. P1363.1 Discussion ==================== Submissions are still open for P1363.1. It would be good to close the submission period around the time of the next meeting in November. Looking to have a draft that will be ready for the first ballot approximately 6 months after the close of the submission period. This time frame assumes there are not a large number of additional techniques submitted to the working group. The only scheme as of now that has been officially submitted is NTRUEncrypt, so it is not expected that there will be a large number of schemes included in the standard. Whyte gave a presentation on the recent results regarding the provability of the padding scheme for NTRUEncrypt. There was some discussion about a new padding scheme that may be added to P1363.1 that satisfies the provability bounds. 10. Discussion of future P1363 WG Efforts =================================== We would like to encourage more presentations to the working group on new works in public-key cryptography. These presentations are a somewhat unique feature of P1363 working group meetings. There is a plan to have a meeting in the November timeframe in the Boston area. The following people were counted as having officially attended this meeting for voting purposes: Daniel Brown, Wei Dai, Louis Goubin, David Jablon, Burt Kaliski, Pieter Kasselman, David Kravitz, Kristin Lauter, Byoungcheon Lee, Pil Joong Lee, Phil MacKenzie, Tatsuaki Okamoto, Rei Safavi-Naini, Roger Schlafly, Ari Singer, Jerry Solinas, William Whyte, Tom Wu, Yuliang Zheng Meeting adjourned 5:00 pm.