MINUTES IEEE P1363: Standard for RSA, Diffie-Hellman, and Related Public-Key Cryptography Burt Kaliski opened the meeting at 1 pm. The announced agenda was: IEEE P1363: Standard for RSA, Diffie-Hellman and Related Public-Key Cryptography MEETING NOTICE Wednesday, May 10, 1995, 1:00-6:00pm Claremont Resort, Oakland, CA This sixth meeting of the P1363 working group, open to the public, will review a draft standard for RSA, Diffie-Hellman and other public-key cryptography. This follows the IEEE Symposium on Security and Privacy, held May 8-10 at the same location. AGENDA 1. Approval of Agenda 2. Approval of Minutes from January Meeting 3. Officers' Reports 4. Review of Draft Standard 5. Proposals for New Sections 6. New Work Assignments 7. Meeting Schedule If you'd like to participate, contact Burt Kaliski, the working group's chair, at RSA Laboratories, 100 Marine Parkway, Redwood City, CA 94065. Phone: (415) 595-7703, FAX: (415) 595-4126, E-mail: burt@rsa.com. Draft sections and copies of previous minutes are available via anonymous ftp to rsa.com in the "pub/p1363" directory. The working group's electronic mailing list is ; to join, send e-mail to . There is no meeting fee this time. The Claremont Resort is at the corner of Ashby and Domingo Avenues in Oakland, California, 14 miles from the Oakland Airport. Phone: (510) 843-3000. In attendance, we had: Terry Arnold, Vice Chair Matt Blaze Eric Blossum Paul Cohen *Whitfield Diffie *Roger Golliver *Burt Kaliski, Chair *John Kennedy *Michael Markowitz *Alfred Menezes Warren Monroe *Mark Oliver Hilarie Orman Birgit Pfitzmann *Roger Schlafly, Secretary Jerry Solinas *Scott Vanstone Vijay Varadharajan Harold M. Wilensky Yacov Yacobi Those marked with an asterisk were qualified to vote, having also attended 2 of the last 3 meetings (and thus 3 of 4, including this one). Motion 1: The agenda is approved. Passed, unanimously. Golliver reminded us that he had been eligible to vote at the last meeting, and so the minutes to that meeting should have an asterisk by his name. Some other stickler for detail pointed out that Siemens had been mispelled. Motion 2: (Oliver) Approve the minutes, as corrected. Passed, unanimously. Kaliski mentioned our informal relationship with ISO SC27 WG 2. Official reports are supposed to come through ANSI. Kaliski looked into getting object identifiers from ISO. He said Dave James is looking into the matter in behalf of several IEEE committees. Oliver reported that the IEEE document people use Framemaker on the Macintosh. This is inconvenient as our documents are currently in other formats. Kaliski said that we will have to collect a $20 meeting fee at each of the next two meetings. Schlafly reported that he now has evidence that Public Key Partners asserts a patent claim against elliptic curve technology, as we are standardizing it. Kaliski distributed a handout on the patent policy situation, and initiated a discussion on our alternatives. He said that PKP has still not given patent assurances but that the IEEE Standards Board is willing to grant a waiver so we can do work in the meantime. The MSC suggested a waiver because it thinks that balloting elliptic curves separately is not ideal. Other alternatives included sticking to elliptic curves, dividing into multiple projects, moving algorithms to an informative annex, and disbanding. There was not much sentiment in favor of the latter choices. Kaliski described the balloting process. It takes about six months under favorable conditions. Schlafly argued that the IEEE patent policy is a good one, and that we should not seek a waiver. We could stick to elliptic curves and abandon the other algorithms if necessary. Motion 3: (Blossum, Oliver) Request waiver on "no significant drafting" policy, with regard to patent assurances. Passed, 6-1-1. Kaliski will make the request to the IEEE Standards Board, and expects it to be granted at its next meeting on May 31. We took a break at 2:30. Yacobi gave a presentation on a public key authentication system that he helped develop. It is becoming part of an ISO standard. Bellcore has patents on it. Vanstone and Menezes reported on the elliptic curve spec. Schlafly suggested including the factorization of the number of points on the elliptic curve to be included in the elliptic curve setup. The rationale is to allow someone to verify the security of the setup. After some discussion, Vanstone and Menezes agreed to insert some mechanism for determining the factorization. Arnold suggested adding a section for standard compliance. It could suggest satisfactory algorithms for testing primality, determining that the order of the generator has a large prime factor, etc. After some discussion, we all agreed. Schlafly argued for limiting the key size range. A minimum would eliminate implementations we believe to be insecure, and a maximum would make fully conforming implementations easier. Others argued that different applications require different security levels, and that it is impossible for us to make such a decision. A section will have some guidelines on security based on known attacks. Motion 4: (Markowitz, Oliver) Do not specify a minimum or maximum key size. Passed, 6-1-1. We took a break at 4:30. Someone suggested changing SHA to SHA-1. Arnold agreed to expand 6.1 with some introductory material for novices. Kennedy, Blossum, and Sutherland volunteered to review it. The LiDIA package is a freeware program with routines for computational number theory and elliptic curves. It is available by anonymous ftp from crypt1.cs.uni-sb.de:pub/systems/LiDIA The next release in the fall is expected to have the capability to count points on an elliptic curve. Kaliski volunteered to write a new section on the framework. The next meeting is scheduled for Aug. 31 and Sept. 1 in Santa Barbara, right after the Crypto '95 conference. We are hoping to complete a draft to be ready for ballot at that meeting. (The extra day is to allow time for editorial changes.) We tentatively scheduled the following meeting to be in Toronto, hosted by Mobius Tech, on or around Nov. 13. Aucsmith has apparently dropped out of the editor job. Oliver distributed a draft consisting mainly of some definitions and an outline for the rest. Motion 5: (Kennedy, Golliver) Oliver is the sole editor. Passed, unanimously. We adjourned at 5:40 pm.