AUGUST 1999 P1363 MEETING MEETING SUMMARY August 1999 IEEE P1363 Working Group Meeting Summmary We outlined a plan for a P1363a document to fill some gaps in P1363, e.g. encryption schemes for DL and EC and some signature schemes. New projects may be begun for related topics such as key generation, domain parameters, ID schemes, hybrid schemes, protocols, etc., and designated P1363.1, P1363.2, etc. Some proposals for technologies to be considered in the new projects were presented. We had very little discussion of the current P1363 draft because it was at the time being balloted, except that we considered alternatives regarding IFSSR. A new attack had been announced earlier in the week on IFSSR; the group decided to review ballot comments before making any decisions regarding IFSSR. The working group bylaws had been adopted by electronic vote prior to the meeting. MEETING MINUTES Thurs Aug. 18, 1999 UC Santa Barbara student center, State Street room We started at 2:00pm. We had in attendance: Kazumato Aoki *Beni Arazi Jurjen Bos *Lily Chen Walter Fumy *Don Johnson *Burt Kaliski Tetsutaro Kobayashi *David Kravitz Phil Joong Lee Daniel Lieman Phil MacKenzie *Michael Markowitz Shiho Moriai China Pellacuru Hilarie Orman *Anand Rajan *Allen Roginsky *Roger Schlafly *Rich Schroeppel *Ari Singer *Jerry Solinas Kazuo Takaragi *William Whyte Lisa Yin An asterisk indicates an eligible voter. Motion 1. (Johnson Rajan) Approve the agenda. Passed. Kaliski reviewed ballot procedures. Ballots are now out, and due in a week. Kaliski mentioned the new attack on IF signatures with message recovery (ISO 9796-1). Kaliski suggested removing it, but that might delay approval for 4 months because it would require re-balloting. Johnson and Solinas said that attacks occur all the time, and we should just put the attacks on the web site. Micali gave a talk on a new signature scheme of his that is based on the difficulty of factoring. A paper is on the P1363 web page. It is patented and he will announce patent terms. Kobayashi presented a paper claiming efficiency advantages to using elliptic curves over an odd prime power field. Schroeppel mentioned Crandall's patent as a possible issue. After a break, we heard about the NTRU public key system from Lieman. MacKenzie gave a talk on SNAPI, a password-based protocol. Kaliski explained that in June we decided that P1363a should fill the gaps in P1363, and start special projects to be put in separate documents. Projects might be password-authenticated key exchange, identification, key generation, conformance, new families, and others. Each project would have a title, scope, and purpose, and get approved by the microprocessor standards group and whoever else is sponsoring us. Singer will run for chair of P1363a. There are no other officer candidates yet. Kaliski may wish to be a document editor. We adjourned at 5:00pm. On Friday, we began with officer reports. Kaliski's report is appended below. We read and approved the minutes for the June meeting. Yin (editor) reported minor style changes. Markowitz (treasurer) reported that we have $3,200 in the bank which is owed to IEEE. Friday Aug. 19, 1999 UC Santa Barbara student center, State Street room In attendance, Tolga Acar *Beni Arazi *Lily Chen *Don Johnson *Burt Kaliski *David Kravitz Daniel Lieman Phil MacKenzie *Michael Markowitz *Tatsuaki Okamoto *Allen Roginsky *Roger Schlafly *Ari Singer *Jerry Solinas *William Whyte Lisa Yin 16 attending, 12 voters. We now have 16 e-voters; the above 12 plus Terry Arnold, Franck Leprevost, Anand Rajan, and Rich Schroeppel. After a break, Kaliski raised the issue of what to do with the recent attack on ISO 9796-1 signatures. Currently we include it as IFSSR. Johnson argued for keeping the signature, because - P3163 is timely and a 4 month delay hurts that. - P1363 has guidance, but not security requirements. - 3000 chosen message attack may not be critical for some applications. - ISO has not yet decided whether to revoke the standard. Yin said that making other editorial changes will take time anyway, so removing the signature may not delay the standard. Schlafly argued that including a broken signature scheme will embarrass us, and detract from the standard. The matter was unresolved. We will know in a week whether any of the ballots specifically objects to IFSSR. Kaliski discussed the meeting schedule. Singer offered to host a meeting at Pitney Bowes in Shelton, Connecticut. The date is tentatively set for Oct. 27-29. Kaliski proposed an outline for P1363a. P1363 has schemes in the following table. DL EC IF KAS yes yes ? SSA yes yes yes SSR * * yes(?) ES * * yes (IFSSR may not be in P1363.) The idea is to fill in the asterisks in P1363a to complete the table. Likely new primitives would include deterministic DSA signatures, ElGamal encryption, EC analogs, IF signatures, ... For DL/EC encryption, we could generate a shared secret (with DH1, say) and then either (1) KDF + SymE + MAC as in DHAES and X9.63. (2) AONT + xor AONT = All Or Nothing Transform, of which OAEP is a good example. Other possible work: GF(p^m), new bases, ... Kaliski listed possible new projects. 1. P1363 usage: guidelines, conformance testing, ASN.1 syntax, S-expression syntax. 2. Key and domain parameters. (and possibly proof of possession). 3. New techniques: threshold cryptosystems, ID schemes, password-based schemes, new families. Also hybrid schemes like sign/crypt and cert/sign. 4. Protocols: key establishment, entity authentication, proof of possession. At 12:30 we took a break for lunch. After lunch, we discussed whether to add a new family. Lieman argued for NTRU, but others thought that it was too new and untested. Lieman will present further arguments in October. Okamoto argued for ESIGN and an analogous encryption scheme. Kaliski mentioned the possibility of doing protocols, even though we do not do them now. A possibility might be the cryptographic portion of TLS (aka SSL). We could also do key confirmation in conjunction with key establishment (or separately). The next meeting will discuss P1363a content in detail. We had more discussion about what to do about the IFSSR attack. We were not going to do anything until the current ballot is completed. After that, and possibly depending on the comments we get, the obvious choices are to either drop IFSSR or to insert a "health warning" about the attack. The latter might not require reballoting, depending on how it is worded. We took an informal straw vote of all those present. Most (9-6) preferred to drop it if it turns out that we have to have another ballot anyway, but also most (7-5) preferred just a health warning if we can avoid a recirculation ballot. Kaliski said he would post a message to the list about the attack. If no serious objections come in next week's ballot, then Kaliski will pass it on to RevCom. The work assignments are to polish up P1363, and to get P1363a rolling. Kaliski reminded us that P1363 officer nominations close Sept. 10. So far, we just have Singer running for Chair. We adjourned at 3:45pm. CHAIR'S REPORT / STATUS OF FOLLOW-UP ACTIVITIES FROM JUNE 1999 MEETING Patent issues (see Chair's report) * Follow up with Cylink about normal basis multiplication patent (Kaliski) DONE. Received letter from Robert Fougner, August 18, 1999, offering reasonable and nondiscriminatory terms. The patent is U.S. Patent No. 4,587,627 by Omura and Massey, "Computational method and apparatus for finite field arithmetic," and pertains to the infomative technique in Annex A.6.4 for multiplication in a normal basis. * Contact Silvio Micali about possible relevance to P1363a of patent relating to DSA precomputation (Kaliski) DONE. Micali intends to offer reasonable and nondiscriminatory terms and will provide a letter accordingly. * Follow up with NIST about whether NIST's royalty-free license to the DSA patent extends beyond the version in the Digital Signature Standard (presumably it does, since ECDSA is being adopted by NIST). OPEN. Awaiting reply from NIST. * Clarify OAEP patent question with IBM (Kaliski) DONE. Mike Matyas confirmed that IBM's previous letter to IEEE P1363 takes into account the possibility that OAEP may be used with additional parameters. * ECAES patents/DHAES non-inventor patents. DONE. Simon Blake-Wilson, editor of ANSI X9.63, indicated that two companies (Certicom and IBM) had made assertions about patent claims on ANSI X9.63 and had been approached for patent assurances. While it is not clear which assertions apply to ECAES and which apply to other aspects of ANSI X9.63, we can follow up by contacting the companies again as we develop IEEE P1363a. By-laws / Elections * Call for volunteers for office (Kaliski) DONE. (But we still need more volunteers.) * Revise proposed bylaws per approved changes (Singer) DONE. * Post revised bylaws for ratification, conduct electronic vote (Kaliski) DONE. Bylaws were approved 14-0-0, with two non-voters and one late vote, as per the following information: IEEE P1363 E-MOTION 1999-1: Ratify proposed IEEE P1363 bylaws as approved at June meeting and amended below (July 30, 1999 version). E-voting opened: Tuesday, August 3, 1999, 12:00pm E-voting closed: Friday, August 13, 1999, 5:00pm PASSED: 14-0-0 (17 eligible voters: Allen Roginsky; Anand Rajan; Ari Singer; Ben Arazi; Burt Kaliski; David Kravitz; Don Johnson; Franck Leprevost; Jerry Solinas; Kazuo Takaragi; Louis Finkelstein; Michael Markowitz; Rich Schroeppel; Roger Schlafly; Shirley Kawamoto; Tatsuaki Okamoto; Terry Arnold). A minimum of 10 votes was required for quorum, with at least 75% YES among YES/NO votes. * Notify electronic voters of current voting status (Kaliski) DONE. Technical * Ask PSEC submitters for security proof references (Kaliski) DONE. * Look at application of Boyko's paper to swizzle (Roginsky) OPEN. Allen indicated that IBM does not intend to promote the swizzle method further at this time. * Follow up on discrepancy between DHAES and ANSI X9.63 ECAES (Kaliski) DONE. The discrepancy is whether the sender's ephemeral public key is included as input to the key derivation function. William Whyte has observed that the inclusion of the ephemeral public key is important for the proof of security of DHAES over general groups. When computation is over prime-order subgroups, as in ANSI X9.63, the inclusion is not necessary. Planning * Invite new project proposals (Kaliski) DONE. * Explain new model for P1363a in introductory presentation at Crypto '99 (Kaliski) DONE. * Consult with MSC about change in model, revisit possible TCSP sponsorship (Kaliski) DONE / OPEN. MSC supports the new model, awaiting reply from TCSP. * Draft proposed outline for P1363a (Kaliski) DONE. * Outline possible project on key generation and validation (Kaliski) DONE. Miscellaneous * Revise previous minutes (Kaliski / Roger Schlafly) DONE. Leo Reyzin has updated the March minutes. * Inform P1363a contributor about policy not to post product announcements (Kaliski) DONE. * Post table comparing encryption schemes on Web page (Whyte) DONE. * Forward meeting fees to Mike Markowitz (Kaliski) DONE.