IEEE P1363 Meeting Minutes

January 9, 2003

Attendees:

David Jablon, Phoenix Technologies, Treasurer*
Ari Singer, NTRU, Secretary*
William Whyte, NTRU, Chair*

Mike Brenner, MITRE (Teleconference)*
Dan Brown, Certicom*
Nicolas Courtois, Schlumberger Sema
Burt Kaliski, RSA Laboratories (Teleconference)
Jean Monnerat, EPFL
Rich Schroeppel, Sandia (Teleconference, morning only)
Phil MacKenzie, (Teleconference, afternoon only)*

Agenda:

Thursday, January 9, 2003

The meeting was opened at 9:12 a.m. EST

9.00: Welcome and overview of group status

Whyte gave a brief summary of the history of the P1363 WG and the 
current status.

9.15: Officer's reports

We have about $200 in the bank, $200 in "accounts receivable" and no 
obligations.

The following e-votes have been taken since the last meeting:

-------------------------------------------------------------

IEEE P1363 E-MOTION 2002-4: The IEEE P1363 working group authorizes the
additional changes outlined below to IEEE P1363a beyond those already
approved in E-MOTIONs 2002-1 and 2002-2 and at the August 2002 working group
meeting, and authorizes the chair to submit a draft implementing these
changes for a recirculation ballot. Minor editorial changes and updates to
Annex G may be made if needed at the chair's discretion without further
vote.

(see e-mail from William Whyte announcing the vote on October 24, 2002
for details of changes)

Proposed: Burt Kaliski
Seconded: Roger Schlafly

E-voting opens: Friday, October 25th, 2002, 9:00 am EST
E-voting closes: Monday, November 4th, 2002, 9:00 am EST

IEEE P1363 E-MOTION 2002-4 PASSED: 9-0-0

Eligible voters casting votes on E-MOTION 2002-4: Dai, Jablon, Johnson, 
Kaliski, Kravitz, Lee, Schlafly, Singer, Whyte

-------------------------------------------------------------

IEEE P1363 E-MOTION 2002-5: The IEEE P1363 working group authorizes the
additional changes outlined below to IEEE P1363a beyond those already
approved in E-MOTIONs 2002-1, 2002-2, and 2000-4 and at the August 2002
working group meeting, and authorizes the chair to submit a draft
implementing these changes for a recirculation ballot. Minor editorial
changes and updates to Annex G may be made if needed at the chair's
discretion without further vote.

(see e-mail from William Whyte announcing the vote on November 26, 2002
for details of changes)

Proposed: Burt Kaliski
Seconded: William Whyte

E-voting opens: Wednesday, November 27th, 2002, 9:00 am EST
E-voting closes: Saturday, December 7th, 2002, 9:00 am EST

IEEE P1363 E-MOTION 2002-5 PASSED: 8-0-0

Eligible voters casting votes on E-MOTION 2002-5: Dai, Johnson, 
Kaliski, Kravitz, Lee, Schlafly, Singer, Whyte

-------------------------------------------------------------


9.30: Presentations

- 9.30: Nicolas Courtois, SFLASH

Signature scheme designed to be implemented on smart cards

Not believed to be patented - patent expired and was not extended

SFLASH v2 progressed to the second stage of the NESSIE project in 
October 2001.  There are no known attacks that require less than 2^80 
effort.

Described a new method to implement SFLASH that raises values to the 
128 and 128^7 along with other speed-ups results in a speed-up of more 
than 10 times in comparison with the square and multiply method.

Described DPA protection with random masking that is removed at the 
last step.

Claimed to be the fastest signature scheme known without a co-processor.  
The public key is on the order of 15K.

- 10.00: Nicolas Courtois, GPS

Paper from Girault, Poupard and Stern.

On-the-fly public-key authentication with a low cost smart card - 
designed for contactless smart cards.

1991 - self-certified public keys described by Girault
1998 - GPS was introduced by Poupard and Stern
2000 - Submitted to NESSIE

Based on security of discrete logarithm of a random value over an RSA 
modulus with small exponent.

Statistically zero-knowledge authentication with certain choices of 
parameter size.

GPS "coupon" can be pre-computed.  The prover also only needs to store 
random value and the hash of the commitment (coupon).

Can be used as a signature scheme.

Tradeoffs can be made between the size of the challenges (and hence the 
computational cost) and the underlying security.

RAND licensing available.

- 10.30: Jean Monnerat, The Security of DSA and ECDSA

Bypassing the Standard Elliptic Curve Certification Scheme

Results by Serge Vaudenay.

Reviewed the basic model for using DSA and ECDSA, pointing out the need 
for generating parameters deterministically from a random seed.

If only the j-invariant is checked, the twist of the elliptic curve, 
which is not isomorphic, will still be accepted under the validation 
process.

Discussed ways to generate c at the wrong time.

- 11: Break

- 11.15: John Malone-Lee, TBOS-RSA: Signcryption using RSA

Postponed to Friday.

- 11.45: Dan Brown, Validation of Elliptic Curve Public Keys

Described an attack on one pass ECDH and other schemes such as ECIES 
when public-key validation is not performed.  This applies to situations 
in which an ephemeral key is combined with a private static key.

Attack works on ECMQV if you can get a CA to certify an invalid 
public-key.

A variant of the attack can also work on compressed points if you do not 
check for x coordinates with no valid y coordinate and perform 
operations to get a "false" y coordinate that lies on an elliptic curve 
other than the specified one.

There was some discussion about whether the security considerations and 
requirements in 1363-2000 and P1363a are strong enough.

12.15: Lunch

13.30: 1363a review

Kaliski reviewed the current status of P1363a.  We are in the midst of a 
10-day re-circulation that ends on January 15, 2003.

The group discussed the key validation attack on elliptic curves as it 
applies to P1363a.  Although there was no comment on the first letter 
ballot on this issue, it appears that the text in D.5.1.6 does not 
adequately express the manner and severity of possible attacks when key 
validation is not performed.

A comment may be input in the current re-circulation ballot by one or 
more of the working group members to indicate that changes should be made 
in this informative section to more clearly describe the attacks 
presented by Brown this morning.

14.00: 1363.2:

  - review related ISO/IEC work

Jablon distributed copies of the ISO/IEC JTC 1/SC 27 N 3382 and 3397 
documents, which describe a parallel effort for key establishment 
mechanisms based on weak secrets.  Comments are encouraged to both ISO 
and P1363 for recommendations for either document.

  - discuss AMP update

The group believes that there is an attack that may be fixable on the 
updated AMP.  This will be passed along to the submitter.  In addition, 
it appears that in order to prevent the 2-for-1 guessing, the server's 
check is not sufficient.  It appears that this may be solved by 
multiplying by the cofactor.

  - Draft D7 review

  -- alignment with SVDP-DH & DHC

The group discussed whether the key validation in P1363.2 is sufficient 
based on the recent attacks.  An effort will be made to be consistent 
with new changes to P1363a if applicable.

The group discussed whether primitives check whether their inputs are 
valid or not.  It is unclear what a primitive will do with invalid 
inputs.  Text may be added to better specify how primitives and schemes 
handle invalid inputs.

The SVDP-DHA primitive will be modified to remove all of the options for 
cofactor multiplication and key validation, because these are basically 
redundant based on our understanding of dealing with invalid inputs.

  -- key confirmation steps

There was a discussion on the lengths of the various inputs into the 
KCF1 function.  It is unclear at this point what the best instantiation 
of this function is.

17.00: Close.

The meeting suspended for the day at 17.05.


Friday, January 10, 2003

Attendees:

David Jablon, Phoenix Technologies, Treasurer
Ari Singer, NTRU, Secretary
William Whyte, NTRU, Chair

Mike Brenner, MITRE (Teleconference)
John Malone-Lee, University of Bristol/Hewlett-Packard
Phil MacKenzie, (Teleconference)

9.00: Presentations (cont.)

- John Malone-Lee, TBOS-RSA: Signcryption using RSA

TBOS-RSA (Two Birds One Stone - RSA) is joint work with Wenbo Mao. 

The basic principal is that a short message is padded using hashes, 
then signed with message recovery (using PSS) with one private key and 
the result is encrypted with another public key.  The short message 
can either be the full message or a symmetric key that is used to 
encrypt the actual message.

Some of the claimed properties of this scheme include a compact result 
(the length of one RSA modulus), the signature can be extracted and 
used for non-repudiation, the signature does not reveal information 
about the encrypted value (as would be the case for signing and 
encrypting separately) and an attacker cannot replace the signature 
portion with its own signature without knowing the message.

09.55: Minutes of teleconference reviewed.

The teleconference minutes will be sent to the attendees of the 
teleconference and reviewed there.

10.00: 1363.2 continued

  -- edits to PAK, AMP, SRP*

The EC and DL cases were combined wherever possible in the schemes.  
Steps were added for the server to send a proof-of-knowledge of the 
shared secret to the client and the client must verify the 
proof-of-knowledge.

The group agreed to add a check in {DL-EC}BPKAS-PAK for the client to 
check that the received public-key is in the parent group.  This 
ensures that the input to the SVDP-DH(A or C) primitive is valid.

  - method comparison table

The group discussed whether the style and categories of the method 
comparison table were correct.  For client and server load, the values 
seem reasonable.  There are some inequalities of computational load 
that can be expanded upon and there may be additional assumptions about 
what would be done to improve efficiency.

Pre-computation may be an item to add to the table.

The plan is to attempt to make initial decisions for inclusion (and 
exclusion) in the April timeframe at a physical meeting.  Jablon will 
send a call to the list for participants to review the table for any 
changes that need to be made before the April meeting.

11.00: 1363.1

There is additional investigation going on in relation to the 
NTRUEncrypt algorithm.  The NTRUSign paper has been accepted for 
publication.  Whyte will follow up with the authors of a paper 
presented at PKC 2003 on a lattice-based public-key cryptosystem.  The 
group is anticipating new submissions to P1363.1 in the coming months.

11.30: Registry and future of group

  - Bylaws amendments

The group discussed making changes to the Bylaws.  The group agreed 
that we should propose to the voters that teleconference meetings may 
count toward membership.  There should be a distinction between 
meetings that count toward membership and those that don't.

Whyte suggested that the group will have a vote to remove David Stern 
as Primary Editor of the group for cause, being that the group has 
been unable to contact him for an extended period of time.

  - Registry and P1363b

The latest idea with respect to the registry is that the working group 
could maintain the registry as a means to clean up the "inbox" of the 
working group and additionally structure the mechanism by which the 
group reviews techniques.  It appears that the group might look into 
proposing a P1363.3 document that would include additional public-key 
related techniques that are not covered in the other standards.  
During the process of generating P1363.3, the working group would 
maintain the registry as a working group document for ease of review 
and analysis of techniques.  This may temporarily replace the need for 
an immediate P1363b project.

Whyte will investigate if there is interest in the community for such 
a project.

12.15: AOB

12.30: Adjourn

The following people were counted as having officially attended this 
meeting for voting purposes: Mike Brenner, Daniel Brown, David 
Jablon, Phil MacKenzie, Ari Singer, William Whyte

The meeting adjourned at 12.42.