IEEE P1363 Meeting Minutes ========================== March 17-19, 1999 The Omni Hotel, Chicago. Gaugiun Room, 3rd floor. Kaliski started the meeting at 9:15 am. In attendance, we had: Ben Arazi (LPK) Terry Arnold (Vice Chair, by phone, briefly) Louis Finkelstein (Motorola) Burt Kaliski (Chair, RSA Labs) David Kravitz (DIVX) Franck Leprevost (CNRS Paris & TW Berlin) Mike Markowitz (ISC, Treasurer) Tatsuaki Okamoto (ATT) Allen Roginsky (IBM) Roger Schlafly (Secretary) Ari Singer (Pitney Bowes) All attendees were qualified to vote, except Finkelstein. Motion 1 (Roginsky, Markowitz) Approve agenda. Passed, unanimously. We reviewed the minutes, and found some minor errors. On p. 2, signcryption "6c" should be "6b". On p. 3, "6a" should be moved to "signature with appendix". On p. 4 "consider" should be "considered". On p. 4 "pointed" should be "pointed out that". Motion 2 (Markowitz Singer) Approve minutes, as amended. Passed, unanimously. Kaliski explained an unexpected delay in ballots. Now the June meeting (in US?) is for ballot review. Maybe we can have Nov. meeting in Europe (Dusseldorf) Kaliski reported that Siemens had responded to an inquiry about licensing the Schnorr patent, but requested that its response not be public, on the basis that the license is non-exclusive. We asked Kaliski to verify that the exclusive license from Schnorr to RSA Data Security has worldwide coverage. There was some discussion of patents. Kaliski distributed a letter from Security Dynamics asking us not to use "RSA" in names because it wants to broaden its trademark claims. No immediate action seems to be required, except to put the letter in the IEEE file. Kaliski wishes he agreed with Schlafly about removing "RSA" from the draft, when the issue first arose several years ago. No change can be made to the draft at this time, because it is in ballot. Kaliski may suggest a change in his ballot comments. Markowitz gave treasurer report. The current bank balance is $5310, but after expenses, the assets are only about $2234. (Some checks have not been cashed.) Kaliski wanted to have electronic votes on motions between meetings, as described in Nov. 98 minutes. Arnold called in with a report on IEEE ballot procedures. He urged us to get our ballots in by April 2. He is getting a list of those on the balloting committee. He said negative votes are supposed to give specific information on overcoming the objection. We must address the comments. Kaliski pointed out that it has already been reported (by Qu) that the table of irreducible polynomials has a number of errors. Some people are apt to vote NO unless this table is corrected. Therefore a recirculated ballot will almost certainly be necessary. There is an IEEE RevCom meeting in June. We could try to get all changes in by then, but that may not be practical. Kaliski made a list of sections so we can divide up the responsibility for dealing with initial comments. 1-4 editor 5 Solinas, Leprevost 6 Schlafly 7 Johnson 8 Kaliski 9 Markowitz, Kravitz 10 Schlafly, Johnson 11 Kaliski 12-14 Markowitz A Solinas, Leprevost B Kaliski C Schlafly D Kaliski E Solinas, Leprevost F editor We will send contact info (fax numbers) to terry.arnold@merdan.com. Markowitz suggested putting scanned comments on a web server. Finkelstein wanted to ensure that Qu's corrections would be made, even if Qu does not put them in his ballot comments. Schlafly said he would add them to his comments. Motion 3 (Schlafly Singer) Adopt the electronic voting procedure of the previous meeting, subject to the following amendments. 1. A minimum quorum of 10 is required, including abstensions. 2. Votes will be collected by the Chair and the Secretary. 3. We may announce a preliminary result based on a majority of eligible voters. 4. The Chair may initiate a new vote at any time. Passed, unanimously. After lunch, we started the P1363a presentations. Arazi presented a scheme for combining certificate validation with signature verification. He had presented it to us before, but now has an improved version of his paper which he will post. Okamoto presented various security definitions, and relationships between them. He had encryption schemes PSEC-1 and PSEC-2 which have strong security properties given some elliptic curve and random oracle hypotheses. Patent pending. Okamoto also presented a couple of identification protocols that he published several years ago. They were similar to Schnorr's and Guillou-Quisquater, but had provable security properties. They are patented in Japan only. Roginsky handed out a paper by Matyas and himself on generating RSA key pairs that meet the ANSI X9.31 criteria and avoids storing seed values. We had an extended discussion of the (controversial) need for finding strong primes. We adjourned at 5:35 pm. On Thursday, the following attended. Ben Arazi (LPK) Louis Finkelstein (Motorola) Burt Kaliski (Chair, RSA Labs) David Kravitz (DIVX) Franck Leprevost (CNRS Paris & TW Berlin) Mike Markowitz (ISC, Treasurer) Tatsuaki Okamoto (ATT) Anand Rajan (Intel) Allen Roginsky (IBM) Roger Schlafly (Secretary) Ari Singer (Pitney Bowes) Roginsky continued his presentation on generating RSA keys using strong primes. Kaliski distributed a couple of submissions: A paper on converting bases over a field in characteristic 2 using small tables. A paper on PKCS #1 encoding method for RSA signatures. Kaliski reported on other recent contributions and submissions: A submission by Victor Boyko on using OAEP for symmetric encryption. Another paper describes an unconventional basis in characteristic 2. A MAPLE implementation of elliptic curve construction using complex multiplication. A description by Wei Dai of his Crypto++ implementation of IEEE P1363 techniques. Leprevost informed us that he attended our meeting in August '98. We agreed to hereby amend the minutes, and recognize him as a voting member. Kaliski raised the subject of new officers for P1363a. His commitment was only to chair P1363 to completion. No one present expressed immediate interest in running for Chair or Editor. Kaliski suggested having the P1363a officer elections in August, since we have the best attendance at the Santa Barbara meetings. We could discuss election procedures in the June meeting. Singer suggested one-year terms. We tried to anticipate ballot comments. Schlafly said that he will object to MQV. Leprevost said the definition of elliptic curves was not completely precise. Kaliski asked about possible objections to the P1363 draft, such as patent considerations. We discussed patents for a while. Schlafly said his ballot comment was going to object to MQV and Nyberg-Rueppel. We had a discussion of patents, possible objections. After lunch, Kaliski reviewed the encryption schemes which are P1363a candidates. 1 EC/DL Zheng 3 EC/DL/IF IBM 10 EC/DL DHES (Bellare-Rogaway) 14 IF EPOC 16s EC/DL ElGamal ?? EC/DL PSEC ?? EC/DL Cramer-Shoup Kaliski and Schlafly expressed a preference for patent-free schemes. These are Zheng, DHES, ElGamal, and Cramer-Shoup. Roginsky defended having the IBM "swizzle" scheme as a patented alternative. There was no consensus on what was best, or how many schemes to choose. Kaliski listed signature schemes. He drew a chart, classifying them based on EC/DL or IF, deterministic or randomized, appendix or message recovery. EC/DL deterministic appendix 16a deterministic DSA/NR IF deterministic appendix IFSSA (RSA, RW + X9.31 format) FDH EC/DL randomized appendix EC/DLSSA (DSA, NR) 6a Zheng shortened DS 9 KCDSA (Korean) 16c DSA, fewer inverses Crandall no y-coord Schnorr IF randomized appendix 11a PSS with appendix 15 TSH-ESIGN EC/DL deterministic message recovery 16t Vanstone franking IF deterministic message recovery IFSSR (RSA, RW + 9796 format) EC/DL randomized message recovery 16b NR with mess rec IF randomized message recovery 11b PSS-R Arazi signcert scheme Of these, DSA, Zheng, and FDH are believed to be patent-free. (Note that DSA is patented but NIST has stated that it will not seek royalties.) UCal has patent on PSS. IFSSA, IFSSR are expected to be patent-free upon the expiration of the RSA patent. Possible identification schemes are: - Fiat-Shamir - Gillou-Quisquater - Micali - Schnorr Schlafly questioned the need for signcryption and other such combination functions. Arazi's system combining signatures with certificates did not fit neatly into our categories. Kaliski said we could create a new category for "signcert", and mention other (non-integrated) alternatives also. Kaliski suggested PKCS #1 signatures as an alternative to the X9.31 format. Both are ad hoc schemes. X9.31 is an ANSI standard and has been added to NIST's FIPS 186. PKCS #1 has no particular technical advantages, but is in widespread commercial use and is considered secure. We started Friday at 9:15 am. Markowitz collected meeting fees, at a rate of $20 per day. Ben Arazi (LPK) Burt Kaliski (Chair, RSA Labs) David Kravitz (DIVX) Franck Leprevost (CNRS Paris & TW Berlin) Mike Markowitz (ISC, Treasurer) Tatsuaki Okamoto (ATT) Anand Rajan (Intel) Allen Roginsky (IBM) Roger Schlafly (Secretary) Ari Singer (Pitney Bowes) Okamoto summarized the encryption schemes, comparing provable security properties and efficiency. He also summarized signature schemes. Okamoto presented the following table about encryption schemes: Provably secure Efficiency Additional Zheng No ** DHES Yes (RO DH SymE MAC) ** SymE integration ElGamal No ** PSEC Yes (RO DH SymE) ** SymE integration Cramer-Shoup Yes * IBM swizzle No ** EPOC Yes (RO IF SymE) * SymE integration Here, "Yes" means provably secure in the strongest sense (existentially unforgeable against adaptive chosen-message attacks). RO = random oracle. Okamoto presented the following table about signature schemes: Provably secure Efficiency Additional DSA,NR No ** Zheng No ** KC DSA No ** Schnorr Yes (RO DL) ** Crandall No ** NR No ** message recovery Van. franking No (?) (?) message recovery RSA,RW No *(s), ***(v) PKCS #1 No *(s), ***(v) FDH-RSA Yes (RO IF) *(s), ***(v) PSS Yes (RO IF) *(s), ***(v) TSH-ESIGN Yes (RO IF) ***(s/v) DSA-R No *(s), ***(v) message recovery PSS-R Yes (RO IF) *(s), ***(v) message recovery He argued that the "secure integration with SymE" property is very important for an encryption scheme. But "message recovery" is not so important for a signature scheme because it is only useful for very short messages (less than 100 bytes). However, Singer gave examples of applications in which message recovery is important. Kaliski summarized the ANSI X9.63 encryption schemes, according to the 1/1999 draft. There is ECES, a simple DH/ElGamal type scheme which works as follows. - generate key pair - combine with recipient public key by DH-SVDP - process by a KDF, possibly with an additional input - XOR with message - send public key with XORed message The other is ECAES, which is somewhat similar to DHES, but there is also a MAC output that depends on a second KDF output and the XORed message. Singer wants to consider other factors, such as how long the scheme has been published, how thoroughly it has been analyzed, whether it has been patented, and possibly additional features. Kaliski listed some goals for an EC/DL encryption scheme. - at least one with efficiency comparable to ElGamal - at least one with security in the strongest sense - at least one balancing security and efficiency (same as above?) - variable-length messages - "control information" bound to encryption - patent issues per IEEE policy - related standards and industry practice After a break, Kaliski listed goals for an IF signature scheme. - some provable security properties - patent issues - related standards and industry practice EC/DL signature schemes - message recovery/compact scheme (there was some disagreement about the importance of this) Kaliski and Kravitz discussed deterministic schemes. Kaliski thought the determinism aspects could be covered in implementation remarks. - at least one provably secure scheme? - more efficient? - balancing if possible Kaliski wants to post an announcement to the mailing with the schemes to get feedback and suggestions. We will also look at identification schemes, password-based encryption, and other topics. April 2 is the deadline for the ballots. RevCom meeting is June 23-25. We must submit our responses to the ballot comments by May 7 to be on the agenda for the June RevCom meeting. We can recirculate the ballot after May 7. This schedule requires prompt action by the working group in April in order to change the draft and get approval. We ought to agree on a ballot response and have the document revised by April 23. Kaliski asked about a June meeting. He wanted to have a meeting in Europe, and the best times are in June or in conjunction with the CQRE meeting in Duesseldorf, Germany, which is Nov. 30 to Dec. 2. He will contact Fumy to see if Siemens wants to host a meeting in June. The tentative date is June 7-9. Kaliski offered as a backup that Security Dynamics could host it, either in Stockholm or London. We reviewed work assignments. * Verify with RSA Data Security that Schnorr license is worldwide (Kaliski) * Announce electronic voting procedures, eligible voters (Kaliski) * Call for volunteers for office, verify with Arnold, Reyzin (unelected Webmaster) of interest in continuing in office (Kaliski) * Draft officer responsibilities, terms for review in June (Kaliski) * Verify section expert availability (Kaliski) * June meeting arrangements (Kaliski) * Begin discussion on list re: ES, SS (Kaliski) * Finish financial report for 1998; UCSB checks, IEEE meeting fees from Crypto '98 (Markowitz) We then summarized the meeting: * Several P1363a submissions presented * Developed preliminary plan for encryption, signature schemes * Started process for electing new officers * Ratified electronic voting procedures, with amendment * Reviewed ballot logistics, meeting scheduling Motion 4 (Kravitz, Leprevost) Adjourn. Passed, unanimously. We adjourned at about 1:15 pm.