MINUTES IEEE P1363: Standard for RSA, Diffie-Hellman, and Related Public-Key Cryptography Burt Kaliski opened the meeting at 9:05 am. The announced agenda was: IEEE P1363: Standard for RSA, Diffie-Hellman and Related Public-Key Cryptography MEETING NOTICE Thursday, January 12, 1995, 9:00-4:00pm Hotel Sofitel, Redwood Shores, California This fifth meeting of the P1363 working group, open to the public, will review draft sections of a standard for RSA, Diffie-Hellman and related public-key cryptography. The meeting follows the 1995 RSA Data Security Conference, held January 9-11 at the same location. AGENDA 1. Approval of Agenda 2. Approval of Minutes from November Meeting 3. Officers' Reports 4. Review of Draft Standard a. General material b. Elliptic curves c. Hardware support d. Random number generation 5. Proposals for New Sections 6. New Work Assignments 7. Meeting Schedule If you'd like to participate, contact Burt Kaliski, the working group's chair, at RSA Laboratories, 100 Marine Parkway, Redwood City, CA 94065. Phone: (415) 595-7703, FAX: (415) 595-4126, E-mail: . Draft sections and copies of previous minutes are available via anonymous ftp to rsa.com in the "pub/p1363" directory. The working group's electronic mailing list is ; to join, send e-mail to . There is no meeting fee this time. Hotel Sofitel is at 223 Twin Dolphin Drive in Redwood Shores, California, about 12 miles south of San Francisco International Airport. From U.S. 101, take the Redwood Shores Parkway exit, and turn left at the second traffic light. Phone: (415) 598-9000. In attendance, we had Ali Bahreman *Whitfield Diffie Arthur Gleckler Roger Golliver *Burt Kaliski, Chair *John Kennedy Brian LaMacchia *Michael Markowitz *Alfred Menezes *Mark Oliver *Roger Schlafly, Secretary Jerry Solinas Sherry Shannon *Scott Vanstone Those marked with an asterisk were qualified to vote, having also attended 2 of the last 3 meetings (and thus 3 of 4, including this one). Our rules expert, Karen Randall, was not present so we proceeded on the assumption that we had a quorum. We added "4(e) IEEE standard document format" to the agenda. Motion 1: (Kennedy, Vanstone) The agenda is approved, as amended. Passed, unanimously. Motion 2: (Oliver, Kennedy) Approve the minutes. Passed, unanimously. For the officers' reports, Arnold and Aucsmith were not present, and Schlafly had nothing to report. Kaliski wrote letters to RSA Data Security and Public Key Partners in November, 1994, as directed by the committee at the last meeting. Copies were distributed. Neither has replied formally. Bidzos said that he thought RSA Data was close to resolving its dispute with Cylink over PKP. Fougner promised also to work on a reply shortly. Kaliski reported that ISO-SC27-WG2 is a committee doing a standard for crypto protocols. They are not specifying crypto algorithms, so their work should fit nicely with ours and we should maintain a liaison with them. Oliver, our co-editor, discussed data formats for the documents. He has the random number draft in ascii. The elliptic curve draft is in LaTeX. He suggested maintaining all the parts in LaTeX, and could produce camera-ready hardcopy for the IEEE. Vanstone gave a slide presentation on elliptic curves, and distributed a new revision of the elliptic curve spec. He explained the advantages of elliptic curve cryptosystems. They are more efficient as they give much greater security for a given key size. The best known attacks are exponential (giant step, baby step) and hence the security of 150 bit elliptic curve is comparable to 1024 bit RSA or ElGamal. Vanstone illustrated the arithmetic computations with concrete examples in the field with 2^4 = 16 elements. Elliptic curve cryptosystems are gaining wider acceptance. Siemans makes a smart card using elliptic curves. Other companies also have elliptic curves projects. Vanstone raised some issues for discussion. In the ASN.1 encoding, is it better to use a bit string or an octet string? Octet strings are slightly more efficient. We need a registered object identifier for ASN.1. Kaliski volunteered to request one from the appropriate agency. Schlafly suggested adding some material on choosing a preferred normal basis for the characteristic 2 fields. Amos Fiat had volunteered to read the elliptic curve spec, but no one had heard from him. Markowitz volunteered to review the spec. We took a break from 11:10 am to 11:30 am. No progress was reported for the hardware or random number sections. Solinas suggested reinstating the previous elliptic curve signature formula as an option, because it resembles the DSA and might therefore gain government acceptance more easily. Schlafly suggested adding a key exchange protocol to the elliptic curve spec, especially since Diffie-Hellman is still tabled. No one objected. We now have random number and elliptic curve draft spec nearly ready, but other sections with no current progress. The most notable section being held up is the RSA section which has a patent problem. The Diffie-Hellman and ElGamal sections are similarly held up. The obvious alternatives are (1) issue an elliptic curve only standard, (2) proceed with a "Part 1" standard covering elliptic curves, and postpone RSA and ElGamal until a "Part 2", or (3) wait until the public key patent problems get resolved. The general preference was for alternative (2). This leaves us with a somewhat misleading title, but one we can live with for now because we are within the scope of our PAR. Motion 3 (Vanstone, Markowitz) Our intent today is to have a draft ready for ballot in May, and the chair is instructed to investigate releasing a draft implementation of a subset of the scope. Passed, unanimously. Kaliski will tell the IEEE Microprocessor Standards committee that we may have a draft ready for ballot in May. It is still unclear whether Aucsmith will do much editing for us. In the mean time, Oliver is our primary editor. The next meeting was scheduled for Wed., May 10, 1995, 1 pm, at the Claremont Hotel in Oakland. A more formal announcement will be distributed. The following meeting will be at Crypto '95, Santa Barbara, in August. We discussed a location for a fall meeting, but nothing was decided. Motion 4: (Vanstone, Markowitz) Adjourn. Passed, unanimously. We adjourned at 12:30 pm.