MINUTES (As amended and approved November 1, 1994) IEEE P1363: Standard for RSA, Diffie-Hellman, and Related Public-Key Cryptography August 25, 1994 Santa Barbara, California Burt Kaliski opened the meeting at 1:00 pm. The announced agenda was: AGENDA 1. Approval of Minutes from May Meeting 2. Patent Licensing Update 3. Review of Sections a. RSA (coordinator: Mark Oliver) b. Diffie-Hellman (John Kennedy) c. ElGamal (Roger Schlafly) d. Elliptic curves (Scott Vanstone) e. Hardware support (Terry Arnold) f. Random number generation (Burt Kaliski/Richard Robertson) g. Cryptographic services (Tom Berson) 4. New Work Assignments 5. Next Meeting Because we had a number of new people in attendance, Kaliski summarized the purpose and scope of the working group. This information is in the PAR. Motion 1 to amend the agenda to include item 2.5, review of related ISO work, passed unanimously. Paper copies of the minutes of the May 1994 meeting were distributed. (They had already been sent out over email.) Motion 2 to skip reading the minutes and adopt them passed unanimously. Kaliski reviewed the IEEE rules on patents, and distributed the relevant sections from the Bylaws and the Operations Manual. In particular, section 6.3.2 of the Operations Manual requires patent holders to submit a draft license prior to any significant work. He had intended to have such a statement of PKP licensing terms, but PKP did not complete it on time. PKP promised to deliver in another week or so. There was a discussion of the PKP patent problem, with general dissatisfaction with PKP's lack of performance. Paul Van Oorschot suggested we draft a standard in parallel with PKP drafting a license, but Schlafly explained that we voted to do that last time, and we are not really supposed to under the rules. Michael Markowitz raised the issue of PKP's continued existence. One partner (Cylink) is suing the other (RSA Data Security), and there have been rumors that PKP may dissolve. Niels Ferguson questioned whether a license policy for new licensees would really be nondiscriminatory if the terms offered are worse than what prior licensees already have. There was discussion as to whether we could proceed with any significant public key work without a PKP licensing policy. Elliptic curves were thought to be the least likely infringing technology. Although PKP had made broad claims to all public key technology, Scott Vanstone said that his company had sold elliptic curve cryptosystems for several years without a license from PKP, though terms had been requested. Motion 3: In light of the IEEE guidelines, existing patents known to us do not preclude us from working on elliptic curves. Passed, unanimously. We took a short break, resuming at 2:41 pm. Motion 4: In view of the patent problems, we suspend work on RSA and Diffie-Hellman until the next meeting. Passed, unanimously. Schlafly argued that a patent-free ElGamal method could be considered, but someone pointed out that PKP has claimed in writing that its patents cover ElGamal. Robertson moved (Motion 5) that we suspend discussion of ElGamal until later in the meeting. Passed, 8 yes, 1 no. Action Item: Kaliski was directed to consult IEEE authorities for more guidance on these patent matters. Agenda, 2.5. Rueppel told of his work on the ISO SC27 committee which is also doing public key standards. He was concerned that we would introduce needless incompatibilities unless we had a liaison to keep both committees apprised of progress. Karen Randall said that ANSI X3.T4 was also working on secure techniques which would overlap with what we are doing. She explained that there are a number of political and bureaucratic roadblocks to having an official liaison, but that there is nothing to stop us from having an unofficial liaison. Action item: Kaliski said that he would look into liaisons. Randall said that we already have some liaisons listed on our PAR, and that they must review any standard that we produce. We then had reports from the work groups, except for those we suspended. Agenda, 3(g), Cryptographic services. Tom Berson was talked into doing this, but he was looking for volunteers to help out. Definitions were not ready, and will be posted. Randall and Kaliski agreed to review them when available. Agenda, 3(d), Elliptic curves. Vanstone and Menezes distributed a couple of copies of their elliptic curve draft. They reported the chief advantage of elliptic curves: small keys, small signatures, speed, and many curves to choose from. They didn't write anything for the "key management" section, and we agreed to move it to another section, since key management won't have anything specific to elliptic curves and should be the same as with other public key methods. Implicit in our discussion was that we'd adopt Algebraic Syntax Notation One (ASN.1) and Basic Encoding Rules to represent the various quantities being standardized, and Distinguished Encoding Rules for signatures or whereever else BER ambiguity might be a problem. Terry Arnold proposed we make this official. Motion 6: We will use ASN.1 BER (X.208, X.209) for syntax notation. Passed, unanimously. Kaliski, Fiat, and Schlafly agreed to review the elliptic curve spec. Agenda, 3(e), Hardware support. There was some discussion as to whether we need to standardize on any hardware at all. The main rationale for doing so seemed to be that since we are sponsored by the Microprocessor Standards Committed of the IEEE, we should say something about hardware. Some thought that a specification of low-level functions would provide useful guidance to someone designing a crypto chip. Others were worried that it might constrain designers and discourage optimizations, or that we might standardize on something no one will make. Kaliski said there is a PASC study group on encryption APIs. Robertson, Kennedy, and Upton will comment on packaging. Markowitz objected to the term "validation suite" unless we actually maintain a reference implementation in a box in a lab so that we can test against random inputs. He prefers the term "test vectors". Agenda, 3(f), Random number generation. Robertson distributed a draft on random numbers. Fiat argued that the tests for randomness are meaningless. It has been shown that a sequence of numbers can pass all the statistical tests for randomness and yet not be cryptographically strong. Others were concerned that listing randomness tests may put a stamp of approval on some lousy random number generators that manage to pass the tests. Nevertheless, good random number generators are essential to cryptography, and people we ought to have some requirements or someone might just use a simple linear congruential generator. Perhaps we could recommend against certain types of generators. Someone pointed out that we may want real-time tests on a physical random number generator, and such a test might be very different from a test on a pseudo-random number generator. Someone suggested that random numbers are important enough that perhaps there ought to be a separate standard just for random number generation. Rivest emphasized that the use for the random numbers makes a big difference, and that random numbers being used for cryptographic keys must pass a much stricter standard of randomness than other random uses. Paul Rubin and Carl Ellison agreed to review the random number draft. Agenda, 4. No one had any serious new proposals, although if the problems with PKP are not worked out, it seems likely that we will want to look at other public key methods. Someone also suggested identity-based systems, but nothing specific was proposed. Stephen Farrell gave a short presentation on his company's SESAME project. Since the first three meetings have been held in California, Kaliski suggested having the next meeting on the east coast and possibly once of next year's meetings in Europe. We tentatively scheduled the next meeting for Oct. 31 in Fairfax, Virginia, in conjunction with the Nov. 1-4 ACM meeting. This appeared agreeable to all. Since ElGamal (Agenda 3(c)) had only been deferred, the issue was raised again. Motion 7 was to suspend work on ElGamal until the next meeting, just as we did for RSA and Diffie-Hellman. Passed, 7 yes, 1 no. We adjourned at about 5:20 pm.