MINUTES
IEEE P1363:
Standard for RSA, Diffie-Hellman, and Related Public-Key Cryptography
The announced agenda was:
IEEE P1363: Standard for RSA, Diffie-Hellman and Related
Public-Key Cryptography
MEETING NOTICE
(REVISED)
Wednesday, May 8, 1996, 1:00-5:00pm
Thursday, May 9, 1996, 9:00-5:00pm
Friday, May 10, 1996, 9:00-5:00pm
Claremont Resort, Oakland, CA
This meeting of the P1363 working group, open to the public,
will focus on the editing of a draft standard for RSA,
Diffie-Hellman and other public-key cryptography. The
meeting follows the IEEE Symposium on Security and Privacy,
held May 5-8 at the same location.
AGENDA
1. Approval of Agenda
2. Approval of Minutes from February Meeting
3. Officers' Reports
4. Proposals for New Sections
5. Meeting Schedule
6. Editorial Work
a. Introduction
b. Acronyms and definitions
c. Mathematical conventions
d. Elliptic curve cryptographic algorithms
e. ASN.1 syntax
f. Mathematical background
g. Elliptic curve background
h. Example data
i. Number-theoretic algorithms
j. Security considerations
k. Implementation considerations
l. References
m. Compliance
n. Other sections
7. Discussion of New Contributions
a. Polynomials over F_{2^r} (Erik De Win)
b. Diffie-Hellman systems (John Kennedy)
c. Discrete logarithm systems (Roger Schlafly)
d. RSA systems (Yiqun Lisa Yin)
8. New Work Assignments
If you'd like to participate, contact Burt Kaliski, the
working group's chair, at RSA Laboratories, 100 Marine
Parkway, Redwood City, CA 94065. Phone: (415) 595-7703, FAX:
(415) 595-4126, E-mail: burt@rsa.com
(B.Kaliski@newton.cam.ac.uk through 19 April).
Draft sections and copies of previous minutes are available
on , which is also
accessible through . The working
group's electronic mailing list is
; to join, send e-mail to
.
There will be a meeting fee, no more than $130 US to cover
the IEEE international participation fee of $50 (waived in
case of financial hardship), and meeting expenses for the
three days. A final meeting fee will be calculated at the
meeting, based on attendance.
The Claremont Resort is at the corner of Ashby and Domingo
Avenues in Oakland, California. Phone: (510) 843-3000.
For more information on the IEEE symposium, contact Dale
Johnson, general chair, at (617) 271-8894 or
.
Meeting minutes
===============
In attendance, we had:
*Terry Arnold, Vice-Chair (2nd day only)
*Lily Chen
*Don Johnson
*Burt Kaliski, Chair
*John Kennedy, Treasurer
*Ray Kopsa
*Alfred Menezes
*Roger Schlafly, Secretary
*Jerry Solinas
*Scott Vanstone
*Michael Wiener
Yiqun Lisa Yin
Those marked with an asterisk above were qualified to vote.
Motion 1. The agenda is approved. Passed, unanimously.
Johnson asked for another clarification of what he did in the 8th
meeting. He suggests: "Johnson presented a reverse signature
scheme which utilized Bellare-Rogaway and previous ideas." He
also changes "It solves some problems" to "It may solve some
problems".
Motion 2. (Johnson, Menezes) Approve the minutes, as amended.
Passed, unanimously.
We had officer's reports. Kaliski had volunteered to take action
related to the Cylink and Certicom patents on normal bases. He
said Vanstone convinced him that the patents are on particular
hardware implementations, and that we shouldn't worry about them.
Kennedy said that the Cylink patents were not problems either.
Schlafly expressed a concern that it might be the case that the
patents foreclose efficient implementations, and that someone
circumventing the patents might not be competitive. Kaliski
agreed to put an open letter concerning patents on the drafts.
The IEEE has an "uploads" directory, parallel to "pub". Connect
to ftp://stdsbbs.ieee.org/uploads . Anyone can upload. The
directory is private and write-only, so you cannot see the
upload. You then have to send email to be spa-admin@ieee.org to
move the file to ftp://stdsbbs.ieee.org/pub/p1363/drafts or
wherever.
Once we have a draft standard, it will go into private directory,
protected by password. This is a goofy IEEE policy. We can still
apparently tell others the password, and we want public review of
the draft.
The IEEE P1363 mailing list is running. Kaliski approves
additions to list, but never rejects anyone and will just make it
automatic. To get info, send "help" in the body of a message to
majordomo@majordomo.ieee.org .
Schlafly will upload a new members.txt with the full list of
participants.
We have a web site at stdsbbs.ieee.org . Kopsa volunteered to do
work improving it. Kennedy doesn't want links back to sponsoring
companies. Actually, he doesn't want any fancy graphics either.
Schlafly will add web addresses to members list, if anyone
requests.
The treasurer, Kennedy, reported that he sent $540 to IEEE, but
got no receipt. He wants a checking account, but is not sure it
is justified because of bank fees. We have a $20/man-day fee
covering the IEEE tax to help fund international standards, and
we want higher fees to fund our own causes. Kennedy will call
Bob Davis to get money flowing more quickly.
The editor, Oliver is ill. He had a blow to the head in an
athletic injury. We are not sure when he will be back to full
productivity.
The other officers had nothing to report at this time.
Kaliski said he expects a new contribution in August, including
ESIGN.
We agreed to meet the Thursday and Friday after Crypto '96, in
Santa Barbara.
Wiener called on the speaker phone, and was online for most of
Wednesday and Thursday.
Wilensky was not present, and it is not clear whether he will be
doing any more work on the introduction.
We launched into a technical discussion of the elliptic curve
draft.
We decided to allow other characteristic 2 field bases. ONB and
polynomial bases will be directly supported. People will be free
to use other bases, as they document conversion matrices with
respect to some polynomial basis.
There was some confusion about internal representations versus
external ones. We need to talk about field representations and
bases because they affect output bits. But we don't want to
restrict someone from using some internal representation that has
no effect on I/O. The issue is mostly pedagogical. Kaliski
wanted to take it offline.
There is an inconsistency in the ordering of polynomial
coefficients. Either Menezes or Solinas needs to switch.
Schlafly raised some technical discrepancies about the data type
conversions. Some conversion don't exactly match up. Schlafly
suggested omitting the bitstring datatype as a simplification.
Kaliski agreed that this was a simplification, and we all agreed
that the few places that mention bitstrings could be reworded to
avoid them.
Terry Arnold showed up on Thursday, and handed out some work on
compliance.
Schlafly gave a presentation on Discrete Logarithms, and handed
out a draft. He changed the section name from "ElGamal" to
reduce confusion. The draft was a direct modification of the
elliptic curve draft. Instead of the elliptic curve group, it
uses a prime-order multiplicative subgroup of a finite field.
A paper by De Win was handed out. He has a variation on
polynomial bases that he recommends. We thought there were other
variations as well, so we want some flexibility to do any of
these variations, and not tie to a specific one. Maybe we could
put his paper in an informative appendix. We called him, and he
seemed agreeable to this view. He may even write something for
us on generic polynomial bases.
Wiener still opposes standardizing on ONB. Other basis options
must be more than just vague alternatives.
Solinas to add some stuff on polynomial bases in his mathematical
appendix.
Arnold discussed compliance. Each algorithm is a option in the
sense that an implementation can pick and choose algorithms.
Arnold's compliance matrix then specifies sections that must be
complied with if a particular algorithm is claimed. Eg, ECSVEP1
with and without point compression are separate algorithms.
Kaliski and Arnold met with Russ Housley over lunch. He says we
don't need a separate account. Also, editors have wide lattitude
to hack on documents.
Arnold also encouraged everyone to join IEEE, and to recommend
other IEEE members for the ballot committee. We need a certain
participation level for the standard to be adopted. Ballot pool
members must be member of either IEEE or the IEEE Computer
Society.
We resumed a technical discussion of elliptic curves. Menezes
says he will add more pointers to appendix in sec 3.
We questioned whether 3 EC signature schemes are really
necessary. Some wanted to get rid of ECSS because hashing is
advisable. Schlafly proposed abandoning ECSSH because (1) 3
signature schemes is too many; (2) a normative but unspecified
secure hash function is a compliance problem; (3) ECDSA and ECSS
complement each other nicely because ECDSA requires SHA-1 and
ECSS has flexibility for message recovery or other hashes.
Everyone eventually agreed, except Johnson.
We discussed some security aspects of ECES. It seems like it is
best used with OAEP, but OAEP has been moved to a non-normative
appendix. We tentatively moved ECES to being non-normative as
well.
We agreed to kill bitstrings. Kaliski thought there was some
chance they might later go back in, so we should allow for that
possibility. Menezes wanted to still use a bitstring notation
for describing mathematical objects, which of course was fine
with everyone.
Friday morning we had presentation from Yin on RSA and Kennedy on
Diffie-Hellman. They each had handouts. Kennedy is pushing
several new Diffie-Hellman protocols, following ANSI X9.42. The
Secretary skipped it, so has nothing more to say.
Some people went to a game store at lunchtime, and amused
themselves with puzzles all afternoon.
Johnson gave a talk on Bellare-Rogaway OAEP. He suggested a more
"balanced" version of it. Perhaps some OAEP variants will appear
in an informative appendix.
OAEP was designed for use with RSA, but Kaliski reported that
Rogaway claims their security proofs also work for the EC and DL
settings as well.
Kennedy collected a meeting fee of $155 per person. The hotel
served us some very expensive cookies.
Kaliski summarized where we are on the various sections, and who
was working on them.
Introduction, definition, Math (Menezes)
EC systems am
ASN.1 syntax bk
Conformance (Arnold)
Math background (Menezes)
EC background (Menezes)
Number theoretic algorithm (Solinas)
Security (Ellison)
Implementation considerations (anyone?)
References
Rationale
Kaliski offered to devote some resources at RSADSI towards
editing the draft. He wants to have an integrated document with
RSA in it.
Motion 3. (Kennedy, Solinas) We appoint Lisa Yin co-editor of
the document; we have a teleconference around June 15 to discuss
technical content with the goal of producing a draft suitable for
public comment in August at Crypto '96; and further that we will
strive to incorporate all sections (EC, DL, RSA) in this draft.
Passed, unanimously.
A teleconference is scheduled for 10am PDT, Thursday, June 13.
The plan is to goto ballot in the fall. We didn't schedule the
fall meeting yet.
We adjourned late Friday afternoon.
Roger Schlafly
Secretary