IEEE P1363 Teleconference Meeting Minutes Thursday March 20, 2003 Attendees: Mike Brenner, MITRE Dan Brown, Certicom Wei Dai, Groove Networks Florian Hess, University of Bristol David Jablon, Phoenix Technologies Burt Kaliski, RSASecurity Phil MacKenzie, Lucent Technologies Roger Schlafly, Information Security Corporation Ari Singer, NTRU William Whyte, NTRU The meeting commenced at 2.05 pm EST. 1. Officer reports - Chair Motions will be discussed later. Three e-motions have been passed since the previous meeting. 1) Remove David Stern as primary editor - Passed 2) Vote on changes to P1363a - Passed 3) Vote to amend bylaws to count teleconference meetings as official meetings for voting purposes - Passed There will be a charge of $15 per person for the call. This teleconference will not count as an official WG meeting as the bylaw change was not yet in effect. Whyte intends to appoint Brenner as Primary Editor. This will be subject to an automatic e-vote. - Treasurer We are still in the black by a small amount. - Secretary Meeting minutes up to the January 2003 minutes have been posted. Most of the minutes have gone through a review process by attendees, but not all. Members are encouraged to send recommended changes to the Secretary or to the list. These changes will be incorporated into the minutes as needed and the revised minutes will be posted online. In the future, the group will not be reviewing previous minutes during the meetings. 2. 1363a Ballot Resolution Last sponsor ballot passed unanimously. We expect the same in the future. - Results of E-Motion 2003-2 This motion passed and Kaliski is working to incorporate all of the changes described in the motion. - Outstanding issues: - Weil Pairing algorithm The Weil Pairing algorithm may be used during the process of verifying cofactors (e.g. to be sure that you have the correct group structure). There may be other uses for it as well. There are four issues remaining to discuss on the Weil Pairing algorithm. 1) One of the underlying functions may be called with the point-at-infinity as an input. Changes are available to make this work properly for the point-at-infinity. 2) Updates should be straightforward to add odd-characteristic extension fields. 3) Remove awkwardness in algorithm - Without changes proposed by Mike Scott, it may not be fully correct. 4) The use of inverses - These seem to be described differently in different sources, so we may not want to make any changes that would break existing implementations. Plan is to make some proposed changes and send them to the group for an e-vote. - Next Steps After Weil Pairing changes are accepted and after the agreed upon changes to the draft have been made, we will be able to send P1363a back to the ballot body. Kaliski may also add the list of contributors to the document while we wait for all of the procedural issues to complete. 3. P1363.1 Update - Recent results against NTRUEncrypt John Proos at University of Waterloo published an attack against the NTRUEncrypt scheme on the e-print archive. This attack takes advantage of the possibility of decryption failures with certain parameter sets. Sufficiently many decryption failures allow an attacker to recover the private key. Similar results were published from various other researchers including Phong Nguyen, David Stern, Ari Renvall, Tommi Meskanen, and NTRU Cryptosystems researchers. As far as P1363.1 goes, the security considerations section needs to be updated, but the algorithm specification need not necessarily be changed. This is in line with P1363 practice, which has been to provide developers with the information necessary to make their own security decisions, but not to mandate specific choices. - Timetable for further progress These results and recommended new padding schemes will be published shortly. It is anticipated that P1363.1 will become more active after that. 4. P1363.2 Update Documents are available at http://www.integritysciences.com/p1363/drafts/ under the usual P1363 username and password. ISO 11770-4 contains several techniques that are currently included in P1363.2. Notably, the document is only 17 pages, vs. the current more than 100 pages for P1363.2. We may want to use this document to help us streamline our document. - Discussions Jablon walked the group through the ISO 11770-4 document and compared it to P1363.2. ISO has included in their document references to P1363.2 to map techniques in 11770-4 to P1363.2. ISO only chose one technique for each family. It also does not cover the techniques in elliptic curve groups. Liqun Chen is an editor of ISO 11770-4 and welcomes any feedback from P1363 WG members. (e-mail is liqun_chen or liqun.chen at hp.com) Whyte pointed out that it may be clearer instead of using the notation "a'" for P1363.2 to use subscripts for the party that owns/creates (or was purported to own/create) the value, similar to what 11770-4 does. Generally we would like to make sure that all proposers review the document to be sure that it is accurate and that their methods are properly represented in the comparison table. In the P1363.2 Drawings document, there will be a change to the primitives (e.g. SVDP-DHA) in which the primitive will accept all inputs and it is up to the scheme to enforce any checking that an object is valid (e.g. it is in the correct parent group and has the correct order). There was some discussion on whether to make the schemes flexible at the expense of interoperability. In particular, deciding between DH and DHC modes. Jablon suggested that more specification may be needed for PAK-Z. For instance, we may want to select a particular signature scheme as the default. We may also want to change using a KCF to an MGF, to deal with the differing lengths of the output of the signature scheme. - Table comparing techniques: From Miami meeting, we would like to make sure that proposers of the various algorithms were satisfied with the entries in the table (particularly for the performance comparisons). Whyte summarized some of the discussions on the table from the Miami meeting. We anticipate that we will discuss this table in more detail at the next meeting after people have had adequate time to review Miami minutes and the table itself. - Timetable for choice of techniques Jablon will attempt to contact all submitters to review the table and the information included in the draft. AMP may be susceptible to 2-for-1 guessing and other attacks, but there has been no consensus reached on how to address this. 5. Other business - Results of E-Motions 2003-1, 2003-3 Future teleconferences will count as meetings under the bylaws. We may need to be sure that the times of the teleconferences are easier for people in other countries to make. - Future meetings We are looking to have a physical meeting in the Boston area in the late April to early May time frame. Officer elections will be in October of this year. 6. Adjourn. The meeting adjourned at 3.51 pm EST