IEEE P1363 Teleconference Meeting Minutes December 11, 2002 Attendees: Mike Brenner, MITRE David Jablon, Phoenix Technologies Kristin Lauter, Microsoft Research Ari Singer, NTRU William Whyte, NTRU Burt Kaliski, RSA Laboratories Tom Wu, Arcot Philip MacKenzie, Bell Labs 14.10: Officers' reports Chair: Applied for a 2-year extension for P1363a. Secretary: Minutes for various meetings will be posted soon. Votes will not be taken to approve. The group has been unable to get in touch with the Primary Editor, David Stern. We may entertain an electronic vote to change Primary Editors after the January meeting if we are unable to contact him before then. 14.15: Preview of January meeting The next P1363 WG meeting will be January 9-10, 2003 after PKC ’03 in Miami. Several presentations have been set up for the meeting. 14.20: 1363a update There was an e-vote (E-MOTION 2002-5) that recently closed to approve moving P1363a to a re-circulation sponsor ballot. The plan is to request a 10-day re-circulation as there were only 3 no votes on the initial ballot and it is anticipated that all of the no voters have had their issues adequately addressed. Unless one of the algorithms in P1363a is seriously flawed, the preference of the group is to push on toward completion. Some of the recent edits may improve the standard, but it may be more appropriate to push these comments off to the next revision of the standard if they prove too complicated or too technical to change now. 14.35: Braid groups update (Mike Brenner) Brenner has been pursuing avenues of studying the time linearity of a braid group-based key agreement protocol invented by Arithmetica. There appear to be some “weak” keys, but they can be detected. After some limited initial testing, it appears that the speed of this protocol may be comparable to Diffie-Hellman. There is some reason to believe that Braid group cryptography may not be susceptible to quantum computer attacks. The method for getting the algorithm to run in linear time is currently not public information. It is only available under NDA from Arithmetica. U.S. Patent awarded to Arithmetica for this method #6,493,499. Q. How big were the keys used in the test? A. Comparison of 320-bit subgroup, in a 2048-bit DSA group vs. 112 strands with p=251. A braid group public key in this case is 320 crossings of 112 strands, which corresponds to perhaps 1200 bytes or so. Q. How does security scale with key size? A. Not a trivial question to answer. It appears that there are groups of keys where breaking a key is linear, whereas other types of keys seem to have exponentially hard breaking times. 14.35: 1363.1 update (William Whyte) At the Crypto meeting last year, there was an attack model proposed showing that the provable security of certain NTRUEncrypt parameters was bounded above by half the size of the number of random bits added. There will be a presentation on this at the January meeting. There is also going to be a presentation discussing the security of NTRUSign at that meeting. 14.45: 1363.2 (David Jablon) - Grid of proposed techniques - Identify criteria to be used in assessing techniques - Populate grid by filling in properties of proposed techniques The group went through the columns in the grid put together by Jablon for comparing P1363.2 submissions. Publication data – First known presentation of the technique. This is intended to give people a sense of how much review the technique has received. Earliest date included along with dates of updates for any recent changes. Augmented – Augmented scheme or balanced scheme, but will be removed since it is intrinsic in the algorithms. Client/Server load – Estimated work factor measured (approximately) in number of DH exponentiations. Will be updated and take into account subgroup size differences, EC differences and pre-computation. Jablon will request that submitters inform him of pre-computation possibilities in their techniques. Proofs/analysis – Availability of research papers with claimed proofs of security. Will be extended if necessary to include tightness of reduction. Assumptions – Extra information that may be relevant for the technique. May be merged with the proofs column. Limitations – Primarily includes information about whether 2-for-1 attacks are applicable and if there are restrictions on ordering (when the client or server commits). Asserted patents – Indicates if any entities have publicly stated that they own intellectual property that may be required to implement the algorithm. This is informative only and should not be used as a criterion for selecting a technique for inclusion in the standard. Use – Whether it is currently deployed or available in a commercially available product or toolkit. Other considerations – Self explanatory - Discuss recent updates to methods - Decide definitive list of submissions - Review contents of recent updates Phil MacKenzie summarized the PAK submission. Submission recommends replacing PAK-X with PAK-Z. Tom Wu described his paper on improvements to SRP (SRP-6). Jablon began the description of the submission by Taekyoung Kwon on AMP, but due to time constraints, we will defer this to January. Jablon spoke to Chris Mitchell about ISO work relating to password-based public-key techniques. Responsibility for this effort has been transferred to Li Dong Chen. This will be discussed in January as well. There was a paper from Northeastern that described an RSA-based password protocol that is designed to work on smart card environments and takes advantage of the relative efficiency of the public-key operations in contrast to operations using the private key. 16.00: Bylaws amendment discussion: - Fill in on proposed amendments - Amendments to be put to an e-vote following the January physical meeting. - bylaws at http://grouper.ieee.org/groups/1363/WorkingGroup/bylaws.html Whyte is considering recommending a change after the next meeting in the bylaws to allow teleconferences to be counted toward group membership. Votes will probably not be taken at teleconference meetings. 16.10: Registry discussion - following the document http://grouper.ieee.org/groups/1363/WorkingGroup/presentations/P1363- Registry-Ideas-2002-12-10.ps Whyte summarized the document recently posted on the web site regarding ideas relating to the registry. The feeling is that the registry may be valuable to give a home to techniques that don’t fit into the current P1363 documents. It is also expected that it will be faster to get techniques published. The working group would likely play the role of making sanity checks for any obvious security flaws and checking that the submission is complete and in the correct form. 16.30: Wind up The meeting was adjourned at 16.25.